You are correct. The RFC makes the distinction that "dynamically issued credentials such as access tokens or refresh tokens can received an acceptable level of protection" in a native application. However, the lines certainly can be blurred with a Cordova App which is both a user agent based application and a native application.
I guess the question still remains, what is the GWT recommended flow for performing OAuth if it is desired to keep a user logged in beyond the expiration of an access token?
On Tue, Jul 12, 2016 at 9:55 AM, Thomas Broyer <t.broyer@gmail.com> wrote:
It amounts to knowledge by the AS whether this is a confidential or public client. When registering a native app, Google knows that it can only be a public app. When registering a web app, they can assume this will be a confidential client and expect you to keep the secret, well, secret. The AS (Google) can then have different policies regarding what scopes they allow, or how they present the consent screen and admin panel, depending on the type of client.
Have a look at the definition of both types of clients in RFC 6749.
--
You received this message because you are subscribed to a topic in the Google Groups "GWT Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-web-toolkit/I4gXb4QLWtQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment