Hi, a have a question regarding unauthenticated requests to a token endpoint in OAuth 2.0. The spec v2-15 section 3 says[1] that "the authorization server MAY allow unauthenticated access token requests when the client identity does not matter". Does that mean omitting "client_id" and "client_secret" parameters altogether?
In our setting there are two types of clients: regular clients with proper credentials (username/password) and JavaScript clients working anonymously. The server is supposed to grant different permissions to these groups of clients based on the authentication method used. It's not clear from the spec how the anonymous access should be requested. Please advice! Thanks! [1]: http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-3 -- Vlad Skvortsov, VP Engineering Echo, v...@aboutecho.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
