On Thu, Jan 20, 2011 at 2:14 PM, Phillip Hunt <phil.h...@oracle.com> wrote:
> The client does need to know how to authenticate. But given that it already 
> has to know a lot about the service, you would think acceptable 
> authentication types are well known to the client.

Yes, true.


> What is the problem with the client authenticating like any normal web 
> service client? (IE outside of oauth)
>
> Why involve oauth in any authentication for User or client?

What is a normal web service client? Since the client has to POST a
bunch of parameters as form encoded, it is simpler to also send
authentication parameters there. Providing alternate methods of
authentication is just asking for trouble. Of course, the spec could
require that authentication is only sent through some other method,
but I think it is way too late for such a change.


Marius
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to