I'm sure this has been gone over before, so apologies for that, but I haven't found a clear answer (is there a better way than just Google to search the mailing list archive, by the way?)
I've been puzzling over this text in 4.2: "... the authentication of the client is based on the user-agent's same-origin policy." I get that the client can't be provisioned with secret credentials and that's why we're using this flow, but I'm puzzled by the implication that it might still be possible to authenticate the client. Isn't the point of this flow that you can't? Specifically, how would you verify that the request is coming from a user agent that even has a same-origin policy? Thanks! - Craig. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
