This repository has been archived by the owner on Apr 3, 2019. It is now read-only.
Do direct assertion->token exchange on the /token endpoint, not the /authorization endpoint #2962
Assignees
Comments
|
Taking this, as I've been working on a related cleanup for #2954 anyway |
rfk
changed the title
|
Also we should stop calling them "implicit grants" because "implicit grant" means a very specific thing in the OAuth world, and that thing is not the same as the thing we're doing. |
rfk
changed the title
This was referenced Mar 15, 2019
ghost
removed
the
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
From @rfk's comment in #2955 (comment) which I agree with:
IMHO, we should stop doing implicit grants on the /authorization endpoint and start doing them on the /token endpoint, since our client apps only use this flow for granting tokens to themselves (which is what the /token endpoint is conceptually about) rather than to other clients (which is what the /authorization endpoint is conceptually about).
Obviously there's b/w compat concerns there though, so let's see how it shakes it in practice...
Another win is that /authorization endpoint validation logic simplifies considerably.
The text was updated successfully, but these errors were encountered: