Hi, Having spent most of my time with native apps and web apps, I now am looking at use cases where I need to implement a user-agent-based app. The Implicit flow seems to be optimized for this.
To test my understanding, this flow is for a JavaScript client (or similar) executing within a web browser. At step (a) the client directs the UA to the authorization server, but the authorization server redirects the UA to a web-hosted client resource. Why? It says so that the web-hosted client resources can push javascript (or other) back into the UA so it can extract the access token in the fragment; but some sort of javascript is already running in the browser, since it initiated the authorization request in the first place. So why this extra step? Why not treat the javascript client running in the UA like a native app and handle the redirect uri? I know this was well thought out when the spec was written, so trying to figure out what I'm missing? Tx! adam
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
