That's only when you need to trust the client. If your requirements demand registration, discovery is mostly pointless (other than dynamic configuration).
EHL On 4/6/10 6:58 AM, "Brian Eaton" <bea...@google.com> wrote: Web clients are expected to have secrets or to have otherwise registered with the AS. In order for them to use those secrets, they need to know the AS URL. Cheers, Brian On Tue, Apr 6, 2010 at 1:23 AM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > Why? > > > On 4/6/10 12:58 AM, "Brian Eaton" <bea...@google.com> wrote: > > On Tue, Apr 6, 2010 at 12:47 AM, Eran Hammer-Lahav <e...@hueniverse.com> > wrote: >> That's the same as what I have in the draft, only with a single endpoint >> instead of two. Since we already have a 'mode' parameter (which I am >> renaming to 'type'), that single endpoint can speak more than one flow. > > Note that the discovery flow I outlined only works for rich clients, > and is completely insecure for other types of clients. > > In another thread Leif mentioned similar concerns. I think they are > justified. > > Cheers, > Brian > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
