Seems like immediate mode should be added into the UX spec to me, maybe even as "display=none". Is there any interest in that?
-- Justin ________________________________________ From: oauth-boun...@ietf.org [oauth-boun...@ietf.org] On Behalf Of Marius Scurtescu [mscurte...@google.com] Sent: Friday, April 29, 2011 6:18 PM To: Doug Tangren Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] implicit clients and refresh tokens On Thu, Apr 21, 2011 at 9:26 AM, Doug Tangren <d.tang...@gmail.com> wrote: > According to http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.2.2 > it doesn't look like clients of the implicit oauth2 flow should receive a > refreshing token although it looks like the access token can optionally have > an expires_in time set. Does this mean there is no step for an implicit > client to refresh their access token without involving the user again? > > According to http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-6 it > looks like a client needs to send in the client credentials, including the > client secret, to refresh an access token. This is a no-go for clients that > can't securely secure a client secret like a web browser. > > Is providing no way for an implicit client to refresh an access token > without involving the resource owner intended? This is a real issue and the only solution I am aware of is to support an immediate mode and auto-approvals. When the access token expires the client can try an immediate mode request in an invisible iframe. If it works, then it has a new access token, if not then it must involve the user. For immediate mode an extra parameter is needed, no defined in the core spec, that tells the authorization server that no UI should be shown and an auto-approval should be attempted. Google currently supports this, the immediate mode parameter is immediate=true. Auto-approval will happen if the same client/user/scopes/redirect_uri have been approved before. Hope this helps, Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
