[Openid-specs-ab] Lite Draft 9
allentomdude at gmail.com
Fri Aug 19 19:02:53 UTC 2011
The explanation in Section 3 regarding when to use the Implicit vs Code flow
is vague, because it's not clear as to what it means for a client to
securely maintain state between itself and the auth server.
It might be better to just say that the Code flow should be used if the
redirect_uri doesn't use HTTPS, and if the client is able to securely store
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab