1. OpenID Foundation
  2. connect
  3. Issues
Issue #360 resolved

Registration 2.1 - What is application_type (native, web) used for?

Michael Jones
created an issue

What is the parameter application_type (native, web) used for? Why does this matter and shouldn’t this be specified in terms of the different protocols behaviors and not in terms of some classification system for clients? E.g. do they use implicit or not?

Comments (11)

  1. gffletch

    The behavior implications of 'native' or 'web' are related to issue #539. The main reason for knowing whether an application is 'native' or 'web' revolve around whether to provide the application with "offline access". However, the distinction is also useful in addressing "malicious" activity. For example, if a token shows up at an API with an HTTP referrer header and the token is associated with a client_id of a native app, it is a little unusual and worth tracking/investigating.

    Proposed text:

    application_type OPTIONAL. The defined values are 'native' and 'web' where 'native' is used for those applications that run natively on a device as distinguished from 'web' where the application runs in a web browser (either directly within the browser or as driven by a web server).

  2. John Bradley

    Fixes #360 Made application_type REQUIRED and added a explanation about redirect_uris registration. Web apps must use https: scheme URI and native must use custom scheme or local host. This prevents the blame client ID from being used for two very different applications.


  3. Log in to comment