On 2/9/2015 5:03 PM, John Bradley wrote:
OK, I don't know if the WG has discussed the issue of fragments in browser history. So you are trading off several round trips against the possibility of a token leaking in browser history or bookmark?
Yes, bookmarking tokens is a little scary, IMO, as we've already run into users bookmarking URLs with codes in them.
Also, wasn't there additional security vulnerabilities surrounding implicit flow? Maybe these were just the product of incorrect implementations, I don't remember, it was a while ago.
One extension that Connect introduced was a "code id_token" response type that is fragment encoded. That would let you pass the code directly to the JS saving two legs.
It looks like OIDC added a "response_mode" parameter where you can specify "query" or "fragment". Thanks for pointing this out!
Thanks for all the help. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
