On Thu, Jan 20, 2011 at 2:25 PM, Brian Campbell
<bcampb...@pingidentity.com> wrote:
> Okay, sorry, I see the distinction you were making.  The client could
> potentially be told the client_assertion_type and given the assertion
> (assuming it's properly encoded for all the hops) by some IdP/STS and make
> use of the use of the spec, as it is written in -11.  Maybe then some
> clients could support stronger forms of authentication for OAuth without
> knowing about or being coded for an extension.  Maybe.  But they still would
> need to know how to get the assertion and URI which is another animal all
> together.

That's right, the client would have to know how to interact with the
local IdP (and possibly how to authenticate with it).

Marius
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to