sakimura at gmail.com
Wed Feb 25 06:11:28 UTC 2015
I guess it will be a separate document / page.
If the app has a server component which can be confidential, then it should
either use code flow or hybrid flow, IMHO.
The in-browser client and the PHP app on the server would have different
client ID, and ID Tokens are issued to them separately.
2015-02-25 14:54 GMT+09:00 Adam Dawes <adawes at google.com>:
> This is great but I think we need to go further than to document just how
> the client performs login to the AP. We've seen instances by significant
> partners that the client interacts with Google to do the login and then
> simply transmits this info back to their home server without any further
> auth between the client and server.
> Describing the technique of transmitting the ID Token between client and
> home server (then validating on the home server side) to generate a session
> token for the client would be very valuable. Here's a very good write-up on
> what a developer needs to do:
> On Wed, Dec 10, 2014 at 4:31 PM, Nat Sakimura <sakimura at gmail.com> wrote:
>> Feedback welcome.
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab