sakimura at gmail.com
Sun Jul 29 00:32:20 UTC 2018
A public client can still use 'code' flow and that often is a recommended
way of dealing with OAuth.
A public client cannot get refresh token.
Many people seem to equate using code grant type with a confidential client
but that is not the case. That's not the case. Whether it is a confidential
client or a public client depends upon its ability to keep the secret
confidential. (This is a topic in my youtube video coming up in two weeks.)
On Sun, Jul 29, 2018 at 7:31 AM SureshAtt via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
> Hello everyone,
> using hybrid flow?
> According to the OIDC spec and to the Multiple Response Types Encoding
> Practice spec, in the hybrid flow the authoriation code by default is
> returned with fragment encoding (query encoding must not be used). This
> keep refreshing access tokens using the "none" client authentication
> However, the OAuth2 spec (section 10.4) says "*Refresh tokens MUST be
> nature public clients which are unable to keep the refresh tokens
> confidential. And neither OIDC spec security considerations section nor the
> OAuth2 Threat Model spec cover the case where the refresh tokens are stored
> in a JS client, for example against tampering the refresh token stored in
> the local storage.
> Therefore I am not clear if it is expected to use refresh tokens with
> Thanks & regards,
> Suresh Attanayake
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab