[Openid-specs-ab] Hybrid Flow use cases and client confidentiality requirements
Sergey Beryozkin
sberyozkin at gmail.com
Tue Mar 8 13:34:46 UTC 2016
Hi All
I'm not understanding clearly enough why OIDC hybrid flows will be used.
I can imagine a situation where a complex 'client' which is probably a
combination of the in-browser running implicit JavaScript client + the
web server client this implicit client is linked is used.
But it will help myself and other implementers to understand better what
are use cases (even a single use case) here ?
What confuses me is what are the real client confidentiality
requirements here.
For example, a public client may be restricted to request a token via
the implicit flow but not the code. Likewise a confidential client may
be prevented from requesting a token via the implicit flow but only
allowed to request a code. But with the hybrid flow - it is everything
that one can possibly get from OAuth2 server supporting the redirection
based flows.
Can it make sense to introduce a 'hybrid' client term ?
Thanks, Sergey
More information about the Openid-specs-ab
mailing list