But, most importantly, the fact that IndieAuth uses a URL for ... • Aaron Parecki

61°F

Khor https://twitter.com/neth_6 • Aug 8
Got a #IndieAuth question. Since there is no client pre-registration, there is no client secret. Thus during code/access token exchange no client secret is used. Less secure than Authorization Code and more like Implicit perhaps?

But, most importantly, the fact that IndieAuth uses a URL for the client ID means that you *do* authenticate the client in the initial Auth Code request, since the redirect URL has to match the domain or be registered. That's an improvement over OAuth with no secret.

Portland, Oregon, USA • 64°F

Wed, Aug 8, 2018 6:28am -07:00

1 like 1 reply
- Khor
Have you written a response to this? Let me know the URL:
- Khor twitter.com/neth_6
  
  Thanks for this tip!
  
  Wed, Aug 8, 2018 2:17pm +00:00 (via brid-gy.appspot.com)

Posted in /replies using quill.p3k.io