|
|
|
|
|
|
by nakovet
4520 days ago
|
|
|
One thing that I didn't get from the post: > Oh my, another OAuth anti-pattern! Clients should never reveal actual access_token to the user agent. From what I understood by reading the OAuth RFC is that front-end intensive applications (a.k.a. public client) should have short lifespan access tokens (~ 2 hours) and the back-end takes care of reissuing a new access token when expired. Can someone clarify on how to make a those calls from a front-end application without revealing the access token? |
|
|