Hi everyone, On 17/11/2018 13:07, Torsten Lodderstedt wrote: > >> The alternative, as you mentioned, is to not issue refresh tokens and do >> token renewal the "same old way" via iframe with prompt=none, while still >> using code flow. > yes. > > Have you ever experienced issues with the latter approach and the browser’s > 3rd party cookie policy?
I expect that what's ultimately going to drive people away from "implicit" and to "code" is blocked 3rd party cookies in browsers breaking renewal for clients via an iframe. IMO this policy is only more likely to spread out in browsers than getting rolled back. Vladimir
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
