- changed status to on hold
Registration 2.1 - What is application_type (native, web) used for?
What is the parameter application_type (native, web) used for? Why does this matter and shouldn’t this be specified in terms of the different protocols behaviors and not in terms of some classification system for clients? E.g. do they use implicit or not?
Comments (11)
-
-
- changed title to Registration 2.1 - What is application_type (native, web) used for?
-
reporter We need to define for implementers what the intended behaviors and restrictions of these types are.
-
reporter -
assigned issue to
- changed status to open
One possible use of this parameter is that the code flow should be used when the client is a native application. That statement should probably be added to the spec.
-
assigned issue to
-
-
assigned issue to
-
assigned issue to
-
-
assigned issue to
-
assigned issue to
-
The behavior implications of 'native' or 'web' are related to issue
#539. The main reason for knowing whether an application is 'native' or 'web' revolve around whether to provide the application with "offline access". However, the distinction is also useful in addressing "malicious" activity. For example, if a token shows up at an API with an HTTP referrer header and the token is associated with a client_id of a native app, it is a little unusual and worth tracking/investigating.Proposed text:
application_type OPTIONAL. The defined values are 'native' and 'web' where 'native' is used for those applications that run natively on a device as distinguished from 'web' where the application runs in a web browser (either directly within the browser or as driven by a web server).
-
+1 that the rational and expected behavior around application_type need to be provided.
-
reporter -
assigned issue to
Brian pointed out we need to specify the expected behaviors when these parameters are used.
We may need to differentiate web server and JavaScript client as well.
-
assigned issue to
-
https://developers.google.com/console/help/#generatingoauth2
Google defines 3 options:
Web applications Service accounts Installed applications
Web Apps require a redirect URI be registered and can use Implicit, code. Service accounts are Server to server and uses something like the JWT assertion profile with an asymetric key. Installed applications are code flow only and have options for using localhost or returning the code in the title bar.
-
- changed status to resolved
Fixes
#360Made application_type REQUIRED and added a explanation about redirect_uris registration. Web apps must use https: scheme URI and native must use custom scheme or local host. This prevents the blame client ID from being used for two very different applications. - Log in to comment
This was requested by Google/FB.