Draft 15, section 2.1 Since requests to the authorization endpoint result in user > authentication and the transmission of clear-text credentials (in the > HTTP response), the authorization server MUST require the use of a > transport-layer security mechanism when sending requests to the token > endpoints. The authorization server MUST support TLS 1.2 as defined > in [RFC5246], and MAY support additional transport-layer mechanisms > meeting its security requirements. > > I'm confused by the fact that token endpoints must use HTTPS due to a trait of the authorization endpoint. Am I missing something here, or is this perhaps a misprint?
-- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre We're hiring! My team at Microsoft has 7 open slots. http://bit.ly/fZBVUo
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
