|
|
|
|
|
|
by mardiros
4838 days ago
|
|
|
I am sorry but I still miss something. And, I read the OAUth2 spec again
http://tools.ietf.org/pdf/draft-ietf-oauth-v2-26.pdf * Why is there an access_token in a browser url ? (query string or fragment) The access_token is provided by the Authorization Server to the client,
and not to the user. The user should only received an authorization_code. And, to get an
access_token, the client must have an authorization_code and know
the "client_secret". access_token should never been seen on a browser, right ? Does Facebook really respect the protocol? in other word,
is it a facebook problem or an OAuth problem ? |
|
|
it's also flexible. Even if app 99.99% of time uses response_type=code someday hacker comes and usues token on hacked redirect_uri.
simply speaking response_type is also should be static and constant. But, gosh, let's fix first-world-problem first