Bill, I can't comment to how effective your use of "private metadata" is to supporting effective authentication of clients. If you feel it is sufficient than you could classify them as "confidential" since you are authenticating based on the metadata.
I also can't comment on CORS as I am not familiar with it. I would take a look at the Threat Model (RFC 6819) in addition to 6749 and 6750 to get a better idea of the many issues - particularly with browsers that are faced. Phil @independentid www.independentid.com phil.h...@oracle.com On 2014-03-27, at 8:30 AM, Bill Burke <bbu...@redhat.com> wrote: > I'm still trying to wrap my head around the differences between public and > confidential clients. In our IDP impl, we check redirect uris and associate > a lot of private metadata to the access code to ensure there is no client_id > swapping. My understanding was that confidential clients made sure that only > an authenticated client could obtain an access token. > > What if you throw CORS in the mix where your browser needs the access token > (and the ability to refresh it) to make cross-domain requests? Doesn't this > remove a large benefit of confidential clients? > > Anybody know a good document that describes the difference and pros/cons of > public vs. confidential clients beyond the actual OAUTH spec itself? > > Thanks > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
