Client-side OAuth2.0 support #21

Open
ryanj opened this Issue May 11, 2012 · 4 comments

Comments

Projects
None yet
3 participants

ryanj commented May 11, 2012

Client-side auth would be nice.
It should allow developers to get up an running quickly, and minimize dependency issues.

It would probably be useful for hackathons and other quick demos as well.

ryanj commented May 11, 2012

This feature should be paired with issue #22

@ryanj ryanj referenced this issue May 11, 2012

Closed

JSONP support #22

If response_type=token is specified on the request (part of the oauth2 spec I think?) then the callback will redirected to with the token after the #, so I believe this already works, though I haven't tested it yet!

In general, client-side OAuth2 isn't secure because you end up with your secret where the world can see it. @ryanjarvinen do you know of something I don't? Is that what you meant by client-side OAuth2?

ryanj commented Jun 28, 2012

Yes, response_type=token is usually how client-side OAuth2.0 is initiated. I didn't get a chance to test it either. Maybe it's working?

@kristjan I think that all depends on how the access_tokens are handled. If the user who authorized the token is the only one who sees it, then there isn't a clear security risk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment