On Thu, Jan 20, 2011 at 2:14 PM, Phillip Hunt <phil.h...@oracle.com> wrote: > The client does need to know how to authenticate. But given that it already > has to know a lot about the service, you would think acceptable > authentication types are well known to the client.
Yes, true. > What is the problem with the client authenticating like any normal web > service client? (IE outside of oauth) > > Why involve oauth in any authentication for User or client? What is a normal web service client? Since the client has to POST a bunch of parameters as form encoded, it is simpler to also send authentication parameters there. Providing alternate methods of authentication is just asking for trouble. Of course, the spec could require that authentication is only sent through some other method, but I think it is way too late for such a change. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
