The OAuth 2.0 spec specifically says not to return the access_token to the user-agent (which I understand), but it does not indicate how to associate the access_token with a particular client session.
This seems like an important omission, since any way that spoofs how the client recognizes a user-agent request as belonging to a resource owner is as good as spoofing the access_token. I searched the list archives and in general googled around, but I don't see any discussion of this. In our use case, we want to recognize the customer based on their authentication with the auth server, so ideally we do not require a login in the client's domain. Can someone point me to discussions around this? Thanks, Bobby
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
