> To: oauth@ietf.org
> Subject: Re: [OAUTH-WG] client secret used in Native App profile
>
> I think the line between 'native apps' and 'user-agent apps' is fuzzier than
> that. if the only difference being considered is that user-agent apps are not
> compiled (Jav
I think the line between 'native apps' and 'user-agent apps' is
fuzzier than that. if the only difference being considered is that
user-agent apps are not compiled (Javascript) vs. native apps that
are, that is not the whole picture. some native apps may not be
compiled (think Python, etc) and even
If we consider HTML5 browser, I am not sure there is a clear
separation betweeen native apps and user agent clients. What is the
technical difference between a native app and a browser that support
HTML 5 localStorage ?
On Fri, Jun 25, 2010 at 9:22 AM, Marius Scurtescu wrote:
> I think the main d
I think the main difference is that User-Agent clients (aka JavaScript
clients) cannot store a secret while Native Apps can safely store a
secret, but the secret cannot be distributed (or, even if it can be
distributed, it may not have much value).
The difference is important. Each native app inst
In the 'User-Agent' profile, it says:
"This user-agent profile does not utilize the client secret since the
client executables reside on the end-user's computer or device which
makes the client secret accessible and exploitable"
However, the 'Native Apps' profile does not include such verbi
