Thanks again everyone for the additional feedback on -01. I've incorporated the discussion into a new draft which is now published.
https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-02 Here's a summary of the changes: * Added a new section with recommendations for refresh tokens, referencing OAuth 2.0 Security Topics * Added some more details on risks of the implicit flow * Added a new section discussing the situation where a browser app has its own server backend * Mention explicitly that clients must verify "state" * Fixed some minor typos * Updated acknowledgments section * Fixed working group name and target status ---- Aaron Parecki aaronparecki.com @aaronpk <http://twitter.com/aaronpk>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
