On Thu, Jan 20, 2011 at 2:25 PM, Brian Campbell <bcampb...@pingidentity.com> wrote: > Okay, sorry, I see the distinction you were making. The client could > potentially be told the client_assertion_type and given the assertion > (assuming it's properly encoded for all the hops) by some IdP/STS and make > use of the use of the spec, as it is written in -11. Maybe then some > clients could support stronger forms of authentication for OAuth without > knowing about or being coded for an extension. Maybe. But they still would > need to know how to get the assertion and URI which is another animal all > together.
That's right, the client would have to know how to interact with the local IdP (and possibly how to authenticate with it). Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth