On Tue, May 10, 2011 at 4:43 PM, Lodderstedt, Torsten <t.lodderst...@telekom.de> wrote: > Hi Marius, > > wrt "auto-approval": how is the authorization server supposed to validated > the client's identity in a reliable way? Otherwise another application (using > the id of the legitimate client) could abuse the authorization previously > approved by the user as long as the session with the authorization server is > valid. The redirect_uri won't help for all kinds of clients since a native > app could use the correct redirect_uri and nevertheless get access to the > token.
The only validation is based on the redirect URI. Native apps should not use the implicit flow, and in general there is no need for auto-approval for them. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
