Basic - Abstract Please Clarify supported client types
Issue #549
resolved
The basic profile is suitable to implement JavaScript -based relying parties (or other user agent based RPs) but no ordinary web applications. This contradicts the impression created by the current introduction, which reads "... implement for web-based Relying Parties."
I would suggest to add this information to the introduction: "... implement for web-based Relying Parties using the OAuth implicit grant type."
Comments (4)
-
-
- changed title to Basic - Abstract Please Clarify supported client types
-
-
assigned issue to
John Bradley
- changed status to open
John will incorporate Torsten's proposed wording "implement for web-based Relying Parties using the OAuth Implicit grant type".
-
assigned issue to
-
- changed status to resolved
Fixes
#549Added text about implicit flow to Abstract - Log in to comment
It is not uncommon for Server Based RP's to use a JS script to get the response from the browser and verify it. I see Facebook and others doing that for Severs and not just UserAgent RP.
Perhaps we need a better example of how to use it with a ordinary Web application.
I agree that the code flow is more secure for private clients, but some RP insist that making the backchannel call is too time consuming.
I expect most users of the basic profile will want to directly verify the signature rather than use the check_id endpoint.
Depending on what you are doing there are lots of possible profiles for the flows. The WG stopped me at one. The implicit flow was chosen because that is what Facebook and others used in their examples.
John