> -----Original Message----- > From: Marius Scurtescu [mailto:mscurte...@google.com] > Sent: Wednesday, January 26, 2011 12:09 PM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Draft -12 feedback deadline > > - 4.1. Authorization Code. It is stated that authorization code is suitable > for > clients that can hold a secret. Not necessarily true, it is the best flow for > native apps, for example.
While the authorization code *can* be used without client authentication, it was designed explicitly for that use case. By defining it as such, we make the security consideration section significantly simpler and more specific. Now, this does not prevent using it without client authentication. Note that this is prose and not normative language. I rather not change this. I think using the ability of the client to authenticate with confidential credentials has been a huge issue for OAuth 1.0 understanding and implementers and this is the simplest way to address it. At some point, trying to make every single word be 100% compatible with every conceivable use case makes the specification unusable. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
