Re: [OAUTH-WG] Google's use of Implicit Grant Flow

We've taken a similar approach for SMART Health IT [1], using the code flow for public clients to support in-browser apps, and <1h token lifetime. (We also allow these public clients to request a limited-duration refresh token by asking for an "online_access" scope; these refresh tokens stop workin

Re: [OAUTH-WG] Google's use of Implicit Grant Flow

For our IDP [1], our javascript library uses the auth code flow, but requires a public client, redirect_uri validation, and also does CORS checks and processing. We did not like Implicit Flow because 1) access tokens would be in the browser history 2) short lived access tokens (seconds or min

[OAUTH-WG] Google's use of Implicit Grant Flow

Hello Folks, I noticed that Google supports the OAuth 2 Implicit flow for third-party JavaScript applications. https://developers.google.com/identity/protocols/OAuth2UserAgent Isn't this generally discouraged from a security POV? *Is there a better OAuth 2 flow for third party SPA applications?*

Re: [OAUTH-WG] [Gen-art] Review of draft-ietf-oauth-jwsreq-11

Many thanks for your review, Joel. I have balloted no-objection for this document on today’s IESG telechat. Jari On 03 Feb 2017, at 01:03, Joel Halpern wrote: > Reviewer: Joel Halpern > Review result: Not Ready > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review T

[OAUTH-WG] Alexey Melnikov's Discuss on draft-ietf-oauth-jwsreq-12: (with DISCUSS and COMMENT)

Alexey Melnikov has entered the following ballot position for draft-ietf-oauth-jwsreq-12: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https:

Re: [OAUTH-WG] Mirja Kühlewind's No Objection on draft-ietf-oauth-jwsreq-12: (with COMMENT)

Hi Alexey, sorry my fault, I read redirect_uri instead of request_uri and was confused... Mirja On 16.02.2017 11:48, Alexey Melnikov wrote: Hi Mirja, On 16 Feb 2017, at 10:31, Mirja Kuehlewind wrote: (Snip) - Should this be like this? OLD ""request" and "request_uri" parameters MUST NO

Re: [OAUTH-WG] Mirja Kühlewind's No Objection on draft-ietf-oauth-jwsreq-12: (with COMMENT)

Hi Mirja, > On 16 Feb 2017, at 10:31, Mirja Kuehlewind wrote: (Snip) > - Should this be like this? > OLD > ""request" and "request_uri" parameters MUST NOT be included in Request > Objects." > NEW > ""request" and "request_uri" parameters MUST NOT be both included in > Request Objects." You c

[OAUTH-WG] Mirja Kühlewind's No Objection on draft-ietf-oauth-jwsreq-12: (with COMMENT)

Mirja Kühlewind has entered the following ballot position for draft-ietf-oauth-jwsreq-12: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to h