Clarification would be helpful, thanks. Note that the example in 3.2 doesn't have the client_id parameter in the body of the request.
On Mon, May 16, 2011 at 4:50 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > No, client_id is always required. Basic will just duplicate it (server must > check they match - that's the "basic auth binding"). > > I'll clarify it. > > EHL > >> -----Original Message----- >> From: Brian Campbell [mailto:bcampb...@pingidentity.com] >> Sent: Monday, May 16, 2011 3:45 PM >> To: Vlad Skvortsov >> Cc: Eran Hammer-Lahav; oauth@ietf.org >> Subject: Re: [OAUTH-WG] unauthenticated token requests >> >> Yeah, I had just sort of being going off the assumption that client_id is >> required & client_secret is not but, looking at -15 again, I agree that it's >> not >> entirely obvious. There's the text at the end of section 3 that say allows >> for >> unauthenticated clients. >> Then in 3.1 both client_id & client_secret are marked as required. >> So, while it says unauthenticated clients are allowed, it's not fully clear >> how >> they are supposed to work or what parameters they should present. >> >> Along the same lines, can an unauthenticated client use HTTP Basic as shown >> in section 3.2 to present only the client_id? Would that just amount to >> using >> an empty string in place of a password? So something like some_client_id: >> would end up as the header, >> Authorization: Basic c29tZV9jbGllbnRfaWQ6 ? >> >> >> On Mon, May 16, 2011 at 11:18 AM, Vlad Skvortsov <v...@aboutecho.com> >> wrote: >> > >> > On Fri, May 13, 2011 at 04:15:17PM -0700, Eran Hammer-Lahav wrote: >> > > The client_id is required. client_secret is not. >> > >> > Ok, thanks! This might deserve a clarification in the spec though - >> > not obvious. >> > >> > > >> > > EHL >> > > >> > > On May 13, 2011, at 16:00, "Vlad Skvortsov" <v...@aboutecho.com> >> wrote: >> > > >> > > > Hi, >> > > > >> > > > a have a question regarding unauthenticated requests to a token >> > > > endpoint in OAuth 2.0. The spec v2-15 section 3 says[1] that "the >> > > > authorization server MAY allow unauthenticated access token >> > > > requests when the client identity does not matter". Does that mean >> > > > omitting "client_id" and "client_secret" parameters altogether? >> > > > >> > > > In our setting there are two types of clients: regular clients >> > > > with proper credentials (username/password) and JavaScript clients >> > > > working anonymously. The server is supposed to grant different >> > > > permissions to these groups of clients based on the authentication >> method used. >> > > > >> > > > It's not clear from the spec how the anonymous access should be >> > > > requested. Please advice! >> > > > >> > > > Thanks! >> > > > >> > > > [1]: http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-3 >> > > > >> > > > -- >> > > > Vlad Skvortsov, VP Engineering Echo, v...@aboutecho.com >> > > > _______________________________________________ >> > > > OAuth mailing list >> > > > OAuth@ietf.org >> > > > https://www.ietf.org/mailman/listinfo/oauth >> > >> > -- >> > Vlad Skvortsov, v...@aboutecho.com >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
