You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 3, 2019. It is now read-only.
IMHO, we should stop doing implicit grants on the /authorization endpoint and start doing them on the /token endpoint, since our client apps only use this flow for granting tokens to themselves (which is what the /token endpoint is conceptually about) rather than to other clients (which is what the /authorization endpoint is conceptually about).
Obviously there's b/w compat concerns there though, so let's see how it shakes it in practice...
Another win is that /authorization endpoint validation logic simplifies considerably.
The text was updated successfully, but these errors were encountered:
rfk
changed the title
Issue implicit grants from the /token endpoint instead of the /authorization endpoint
Issue direct credential grants from the /token endpoint instead of the /authorization endpoint
Mar 15, 2019
Also we should stop calling them "implicit grants" because "implicit grant" means a very specific thing in the OAuth world, and that thing is not the same as the thing we're doing.
rfk
changed the title
Issue direct credential grants from the /token endpoint instead of the /authorization endpoint
Do direct assertion->token exchange on the /token endpoint, not the /authorization endpoint
Mar 15, 2019
From @rfk's comment in #2955 (comment) which I agree with:
IMHO, we should stop doing implicit grants on the /authorization endpoint and start doing them on the /token endpoint, since our client apps only use this flow for granting tokens to themselves (which is what the /token endpoint is conceptually about) rather than to other clients (which is what the /authorization endpoint is conceptually about).
Obviously there's b/w compat concerns there though, so let's see how it shakes it in practice...
Another win is that /authorization endpoint validation logic simplifies considerably.
The text was updated successfully, but these errors were encountered: