On Wed, Feb 16, 2011 at 9:00 AM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > > >> -----Original Message----- >> From: Marius Scurtescu [mailto:mscurte...@google.com] >> Sent: Wednesday, January 26, 2011 12:09 PM >> To: Eran Hammer-Lahav >> Cc: OAuth WG >> Subject: Re: [OAUTH-WG] Draft -12 feedback deadline >> >> - 4.1. Authorization Code. It is stated that authorization code is suitable >> for >> clients that can hold a secret. Not necessarily true, it is the best flow for >> native apps, for example. > > While the authorization code *can* be used without client authentication, it > was designed explicitly for that use case. By defining it as such, we make > the security consideration section significantly simpler and more specific. > > Now, this does not prevent using it without client authentication. Note that > this is prose and not normative language. > > I rather not change this. I think using the ability of the client to > authenticate with confidential credentials has been a huge issue for OAuth > 1.0 understanding and implementers and this is the simplest way to address it. > > At some point, trying to make every single word be 100% compatible with every > conceivable use case makes the specification unusable.
Yes, I understand. But Native Apps have no appropriate flow now, and they started the whole protocol. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
