On Wed, Jun 15, 2011 at 5:21 PM, Eran Hammer-Lahav <e...@hueniverse.com>wrote:
> > I suspect another choice of words would be useful there. Implicit grants > rely > > on the browser's authentication of the receiving web site. When https is > > used, that authentication is fairly strong. > > "authentication of the receiving web site"? Authentication how, and what is > a receiving web site? > > The implicit grant relies on the presence of the user to "vouch" for the > client by making the connection of how it got to the authorization server > and what she is being asked to approve. In other words, the user does > something that lands her in front an authorization page. If that page makes > sense to her in that flow, she approves access to the party that got her > there. > Security for the implicit grant type comes from identifying the client based on the redirect URI. At client registration time, you bind client_id X to redirect URIs Y and Z. If the redirect URIs use HTTPs, that gives you reasonable security.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
