I would like to propose an OAuth 2 extension that helps native clients
close the loop after the approval page. The extension defines a
special value for the redirect URI for the case when the client does
not have such a URI and it also defines that the authorization server
should provide a default
Hi David,
A few suggestions for this extension. I am assuming that you will
update it soon to conform to draft 11 of the core protocol.
1. Instead of passing an assertion why not treat it as another grant
type and pass all parameters as POST parameters. For example:
POST /token HTTP/1.1
Host: s
On Thu, Dec 23, 2010 at 9:38 PM, Francisco Corella wrote:
> Thank you very much for your detailed reading of the paper
> and your very useful comments. I've revised the paper based
> on your comments and put a new version online, with an
> acknowledgment of your contribution.
I'm glad you found
I know the expiration time is just a hint, but it's a useful hint to save
clients and servers from many requests leading to 401 errors. If we can find a
solution to make this hint more reliable in all use-cases, why not do it?
The problem here arises when you acquire an oauth session from javasc
