[Openid-specs-ab] Guidance on what the different flows are for

John Bradley ve7jtb at ve7jtb.com
Wed Oct 30 02:18:53 UTC 2013


On Oct 29, 2013, at 10:22 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:

> Several reviewers have requested guidance on when to use the different flows.  I believe that we’d be doing a service to our readers by providing it.
> Several reviewers have objected to this text in http://openid.net/specs/openid-connect-core-1_0.html#Authentication – saying that sometimes the Code flow is used even when the client can’t maintain the secrecy of the client_secret:
> The Authorization Code Flow is suitable for Clients that can securely maintain a Client Secret between themselves and the Authorization Server whereas, the Implicit Flow is suitable for Clients that cannot.
> I believe that that the statement would still be true if we changed the word “suitable” to “intended”.  And then, as discussed in the F2F meeting, we could add the sentence:
> “However, the Authorization Code flow is sometimes also used by Native applications in order to be able to obtain a Refresh Token, even when they cannot ensure the secrecy of the client_secret value.”
> Would that combination work for people?
> Finally, I propose that we add this guidance about the Hybrid Flow:
> “The Hybrid flow enables Clients to obtain an ID Token and/or Access Token with only one round trip to the Authorization Server, possibly minimizing latency, while still enabling Clients to later get tokens from the Token Endpoint – especially a Refresh Token.”
> Per the decision at the F2F, all this “guidance” text would move to the introduction.
> Are people good with the wording above, or would you like to make alternative suggestions?
>                                                                 -- Mike
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131029/28e3ca44/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131029/28e3ca44/attachment.p7s>

More information about the Openid-specs-ab mailing list