We never had support for two assertions in one request. The client authenticates itself and can include an assertion (or use type 'none'). The client credentials are the "client assertion" and the assertion is about the resource owner.
Also, you can define an assertion type that's a composite assertion (of one more more). EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Yaron Goland Sent: Friday, June 25, 2010 11:26 AM To: oauth@ietf.org Subject: [OAUTH-WG] Clients authenticating with assertions If a client wants to authenticate itself to a token endpoint to get an access token using an assertion how should it do it? Grant_Type = assertion doesn't seem right because that assertion should be from the resource owner who delegated the permission, not from the client, right? In other words one can end up with an access token request with two assertions, one from the client and one from the resource owner. How is this done? Thanks, Yaron P.S. I looked for something like client_assertion and client_assertion_type in section 2 of -08 but didn't see it. Sorry if I missed it.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
