Basic - Abstract Please Clarify supported client types

Issue #549 resolved
Torsten Lodderstedt created an issue

The basic profile is suitable to implement JavaScript -based relying parties (or other user agent based RPs) but no ordinary web applications. This contradicts the impression created by the current introduction, which reads "... implement for web-based Relying Parties."

I would suggest to add this information to the introduction: "... implement for web-based Relying Parties using the OAuth implicit grant type."

Comments (4)

  1. John Bradley

    It is not uncommon for Server Based RP's to use a JS script to get the response from the browser and verify it. I see Facebook and others doing that for Severs and not just UserAgent RP.

    Perhaps we need a better example of how to use it with a ordinary Web application.

    I agree that the code flow is more secure for private clients, but some RP insist that making the backchannel call is too time consuming.

    I expect most users of the basic profile will want to directly verify the signature rather than use the check_id endpoint.

    Depending on what you are doing there are lots of possible profiles for the flows. The WG stopped me at one. The implicit flow was chosen because that is what Facebook and others used in their examples.


  2. Log in to comment