On Wed, May 11, 2011 at 11:44 AM, Lodderstedt, Torsten <t.lodderst...@telekom.de> wrote: > How shall the authorization server ensure that the calling client is a > user-agent based app (i.e. a native app could impersonate an user-agent based > app)?
Through registration and redirect URI validation. A native app does not have to impersonate, they can just register a user-agent client. Everything boils down to the user trusting the app. As Breno mentions, nothing the spec can do to help with that. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
