Open kidphys opened 9 years ago
HTTPS is required. DNS, browser history, proxies can be problematic, so I guess, the use case here is the same as in Oauth 2.0 - provider must issue a short-lived token (requiring a refresh).
FYI: I rewrote this gem and modernized it!
Correct me if I'm wrong, but is it unsecured to include the token in the redirection url? Any host standing in between may intercept and extract the token at will.