PS I did resist the temptation of doing DH key agreement in the Authorization
request /response then using the agreed key as the code proof.
That would also be secure but not popular with developers.
John B.
On Nov 9, 2013, at 7:51 AM, John Bradley wrote:
> With a native app using a captive br
Nat/Naveen,
I must confess I keep going back and forth on this issue.
Clearly this draft is a fix for the issue of:
1. Real app initiates authorize request
2. 'bad' app intercepts grant because it has taken over the access token.
But while I agree this is a problem, what's to stop the 'bad' ap
