Hacker News new | past | comments | ask | show | jobs | submit login

Facebook does this when you sign into an app you've previously authorized, in native application flows. Microsoft just added this recently as well. We do recommend it to other IDPs.

This is only enforced for public clients though that don't have verifiable reply URIs - so web sites are OK.




I've only ever implemented web-based OAuth flows, so I haven't seen that behavior.

Do they also disallow the use of refresh tokens? It would seem that allowing refresh would let a malicious app get around the requirement.


If you force a check at the start, refresh token seems fine. That's much preferable than popping ux every hour or whenever the access token expires.


Then what's the point? The malicious app would just keep refreshing so you never see the confirmation again, anyway.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: