[Openid-specs-ab] Lite Draft 9

Allen Tom allentomdude at gmail.com
Fri Aug 19 19:02:53 UTC 2011


The explanation in Section 3 regarding when to use the Implicit vs Code flow
is vague, because it's not clear as to what it means for a client to
securely maintain state between itself and the auth server.

It might be better to just say that the Code flow should be used if the
redirect_uri doesn't use HTTPS, and if the client is able to securely store
its client_secret.

Allen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110819/fcd0ef79/attachment.html>


More information about the Openid-specs-ab mailing list