I have not seen this as a requirement, but the devices that I’ve worked on were not implemented or constrained in the same way that yours were. This seems like it is a detail of that environment. That said, the device grant spec doesn’t preclude the use of CORS on the device endpoint by being silent about it. I don’t see harm in mentioning CORS in this draft, but I would defer to others with more direct experience in device implementation.
— Justin On Apr 5, 2019, at 1:13 PM, Filip Skokan <panva...@gmail.com<mailto:panva...@gmail.com>> wrote: Hello *, I recall implementing an early draft of this flow few years ago for a client landscape composed primarily of older set-top boxes, old and new TV models of various brands (LG, Samsung, Sony) and also HbbTV standards 1.5 and 2.0. I remember having to set up CORS on both the device authorization and token endpoints (unheard of at the time!) for the sake of these clients.. The reason they required CORS is that these were implemented using, mostly proprietary, xhtml/html5 based sandboxes running on those devices. The APIs developers were given were javascript ones, more specifically the http client was obviously XMLHttpRequest and the whole app when being developed was debugged in a regular browser. Since the specification does not mention CORS anywhere I wonder if a) I was deceived by our business partners to think this was a generic problem of these client types and not just developers being lazy to turn off cors when debugging, b) this was corrected or c) it's still happening and noone just didn't brought it up What are your experiences with CORS setup on the device authorization and token endpoints in relation to device flow for Smart TV, set-top boxes and HbbTV stream apps (excluding tvOS and AndroidTV). Best, Filip _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
