No, client_id is always required. Basic will just duplicate it (server must check they match - that's the "basic auth binding").
I'll clarify it. EHL > -----Original Message----- > From: Brian Campbell [mailto:bcampb...@pingidentity.com] > Sent: Monday, May 16, 2011 3:45 PM > To: Vlad Skvortsov > Cc: Eran Hammer-Lahav; oauth@ietf.org > Subject: Re: [OAUTH-WG] unauthenticated token requests > > Yeah, I had just sort of being going off the assumption that client_id is > required & client_secret is not but, looking at -15 again, I agree that it's > not > entirely obvious. There's the text at the end of section 3 that say allows > for > unauthenticated clients. > Then in 3.1 both client_id & client_secret are marked as required. > So, while it says unauthenticated clients are allowed, it's not fully clear > how > they are supposed to work or what parameters they should present. > > Along the same lines, can an unauthenticated client use HTTP Basic as shown > in section 3.2 to present only the client_id? Would that just amount to using > an empty string in place of a password? So something like some_client_id: > would end up as the header, > Authorization: Basic c29tZV9jbGllbnRfaWQ6 ? > > > On Mon, May 16, 2011 at 11:18 AM, Vlad Skvortsov <v...@aboutecho.com> > wrote: > > > > On Fri, May 13, 2011 at 04:15:17PM -0700, Eran Hammer-Lahav wrote: > > > The client_id is required. client_secret is not. > > > > Ok, thanks! This might deserve a clarification in the spec though - > > not obvious. > > > > > > > > EHL > > > > > > On May 13, 2011, at 16:00, "Vlad Skvortsov" <v...@aboutecho.com> > wrote: > > > > > > > Hi, > > > > > > > > a have a question regarding unauthenticated requests to a token > > > > endpoint in OAuth 2.0. The spec v2-15 section 3 says[1] that "the > > > > authorization server MAY allow unauthenticated access token > > > > requests when the client identity does not matter". Does that mean > > > > omitting "client_id" and "client_secret" parameters altogether? > > > > > > > > In our setting there are two types of clients: regular clients > > > > with proper credentials (username/password) and JavaScript clients > > > > working anonymously. The server is supposed to grant different > > > > permissions to these groups of clients based on the authentication > method used. > > > > > > > > It's not clear from the spec how the anonymous access should be > > > > requested. Please advice! > > > > > > > > Thanks! > > > > > > > > [1]: http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-3 > > > > > > > > -- > > > > Vlad Skvortsov, VP Engineering Echo, v...@aboutecho.com > > > > _______________________________________________ > > > > OAuth mailing list > > > > OAuth@ietf.org > > > > https://www.ietf.org/mailman/listinfo/oauth > > > > -- > > Vlad Skvortsov, v...@aboutecho.com > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
