javascript - Live SDK client secret optional-requirement -

javascript - Live SDK client secret optional-requirement -

why client secret required, not if utilize javascript client.

this isn't logical. can please explain me, why secret required when making rest phone call directly?

the javascript api doesn't require "client secret":

wl.init({ client_id: app_client_id, redirect_uri: redirect_url, scope: "wl.signin", response_type: "token" });

but if want create rest phone call straight it's needed:

post https://login.live.com/oauth20_token.srf content-type: application/x-www-form-urlencoded client_id=client_id&redirect_uri=redirect_url&client_secret=client_secret&code=authorization_code&grant_type=authorization_code

code from: http://msdn.microsoft.com/en-us/library/hh243641.aspx

i assuming client secret security feature, if why connection through js api can made fewer security constraints direct connection service? looks "optionally required" depending on context makes oxymoron me, may missed something.

probably because server side code offers more access such as:

required. specifies scopes user signing in consents. single scope, utilize format: scope: "wl.signin". multiple scopes, utilize format: scope: ["wl.signin", "wl.basic"]. if no scope provided, scope value of wl.init used. if no scope provided in wl.init or wl.login, wl.login returns error. note wl.login can request "wl.offline_access" scope, requires server-side implementation, , wl.init function must set response_type property "code".

basically client secret gives higher security clearance can access stuff can't otherwise.

note: may able around limitation provisioning app desktop/mobile app @ live sdk dashboard.

javascript security rest live-sdk onedrive-api