The thread model doc was really great, but I still couldn't find
anything concrete on what guarantees you lose if you use a public client
vs. a confidential one. Honestly, I'm just trying to have the right
info to guide users on what auth flow to use and the pros/cons.
On 3/27/2014 7:59 PM, P
Bill - as you are referencing CORS in your message, I assume you are
discussing a Javascript-only (browser) client. I believe the implicit flow
was designed for this case and this flow never involves a confidential
client.
Confidential clients may be used with the other flows (code,
resource,.
Bill,
I can't comment to how effective your use of "private metadata" is to
supporting effective authentication of clients. If you feel it is sufficient
than you could classify them as "confidential" since you are authenticating
based on the metadata.
I also can't comment on CORS as I am not
I'm still trying to wrap my head around the differences between public
and confidential clients. In our IDP impl, we check redirect uris and
associate a lot of private metadata to the access code to ensure there
is no client_id swapping. My understanding was that confidential
clients made sur
