OK, so you've got some native apps using the web server flow, and some using a modified version of the implicit grant that includes a refresh token.
I hate to say it, but I think this whole thing would be a lot simpler if we had a grant type called "native app". Instead everyone is adding unspecified parameters or making parameters optional so that they can support native apps properly. On Wed, Jun 1, 2011 at 12:41 AM, Chuck Mortimore <cmortim...@salesforce.com> wrote: > We have have need for all three types > > For web apps, we use web server flow with credentials, and can escalate some > capabilities for the client since we can be more assured we’re talking to > the actual client. > > For native apps, we support: > > the implicit grant ( but we wont give out a refresh token to web/js based > applications ) > the web server flow with a user+client_id specific secret which we can issue > through an admin controlled provisioning process. In this case we can also > escalate capabilities as we’re reasonably sure we’re talking to an instance > of the client. > > For JS Apps we support the implicit grant with no refresh token > > -cmort > > > On 6/1/11 12:16 AM, "Brian Eaton" <bea...@google.com> wrote: > > On Wed, Jun 1, 2011 at 12:08 AM, Chuck Mortimore > <cmortim...@salesforce.com> wrote: >> This is one reason we’ve favored implicit for native apps. > > OK, so are you using the implicit grant for both web apps and native > apps...? I'm trying to figure out if you need two flows are three. > > - web server flow > used with real secret client credentials > gives out long-lived tokens > > - native app flow > doesn't have real secret client credentials > gives out long-lived tokens > > - implicit flow for javascript apps > gives out short-lived tokens based on callback URLs > > (We need all three of those flows, BTW, plus at some point we'll get > around to implementing a javascript flow that returns authorization > codes, and a web server flow that provides short-lived credentials... > but those are lower priority.) > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
