The thread model doc was really great, but I still couldn't find
anything concrete on what guarantees you lose if you use a public client
vs. a confidential one. Honestly, I'm just trying to have the right
info to guide users on what auth flow to use and the pros/cons.
On 3/27/2014 7:59 PM, Prateek Mishra wrote:
Bill - as you are referencing CORS in your message, I assume you are
discussing a Javascript-only (browser) client. I believe the implicit flow
was designed for this case and this flow never involves a confidential
client.
Yes, it is a Javascript (browser) client. Implicit flow doesn't allow
for a refresh token. Our browser javascript code uses CORS also when
participating in the access code grant flow.
Our access codes are digitally signed, and unique. They can only be
turned into an access token once. They are associated privately with a
redirect URI, state, and client_id. And they have a timeout. We do
validation/verification at each part of the flow to make sure the
redirectURI, state, and/or client_id is valid. I just want to know what
to tell users what security implications there are if they use a public
client in this scenario.
Confidential clients may be used with the other flows (code,
resource,..) that are capable of making a TLS call to a Token Endpoint.
BTW, Is there a better list for these types of questions? Didn't have a
lot of luck on the Google Group for OAuth.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
