Will be talking about 'The Many Flavors of OAuth' at apidays.co/sanfrancisco including brief overview of identity layers #openidconnect #oidc, and #IndieAuth. Use code 'Soonhin' to get free tix. @aaronpk thanks for aaronparecki.com/2018/07/07/….

OAuth for the Open Web

aaronparecki.com
2
1
Awesome! I'd love to know what kinds of questions you get after the talk!
1
2
Got a #IndieAuth question. Since there is no client pre-registration, there is no client secret. Thus during code/access token exchange no client secret is used. Less secure than Authorization Code and more like Implicit perhaps?
4
Good question! The OAuth Authorization Code flow doesn't require a secret either. For example mobile apps can't use a secret, but still use the Auth Code flow. There are many benefits to the Auth Code flow over Implicit, I wrote some about that here developer.okta.com/blog/2018…

What is the OAuth 2.0 Implicit Grant Type?

The Implicit Grant Type is a way for a single-page JavaScript app to get an access token without an intermediate code exchange step. It was originally created for use by JavaScript apps (which don't...

developer.okta.com
1
The link you shared is for Implicit? Implicit does not use client secret. Does this mean IndieAuth is more similar to Implicit than Auth Code but is more secure as the client id has to be redirect uri?
1
Replying to @neth_6
Regular OAuth 2.0 also supports the Authorization Code flow with no secret. In fact, many companies recommend Auth Code w/no secret instead of Implicit. IndieAuth is like taking Auth Code w/no secret and adding back some layers of security because of the client ID being a URL.

Aug 8, 2018 · 2:42 PM UTC

1
1
Replying to @aaronpk
Got it. I read the link you shared but I must have missed the part about Auth Code flow with no client secret. Sorry.