Closed shane-tomlinson closed 5 years ago
Taking this, as I've been working on a related cleanup for https://github.com/mozilla/fxa-auth-server/issues/2954 anyway
Also we should stop calling them "implicit grants" because "implicit grant" means a very specific thing in the OAuth world, and that thing is not the same as the thing we're doing.
From @rfk's comment in https://github.com/mozilla/fxa-auth-server/issues/2955#issuecomment-472154130 which I agree with:
IMHO, we should stop doing implicit grants on the /authorization endpoint and start doing them on the /token endpoint, since our client apps only use this flow for granting tokens to themselves (which is what the /token endpoint is conceptually about) rather than to other clients (which is what the /authorization endpoint is conceptually about).
Obviously there's b/w compat concerns there though, so let's see how it shakes it in practice...
Another win is that /authorization endpoint validation logic simplifies considerably.