Hey guys I am working the engineers at my company to roll out OAuth 2 support for mobile and desktop.
One concern is Section 3 of the spec calling out the fact that client id should not be used by itself, however the implicit grant does just that. And the new native apps section does not provide pros and cons of each. Can we get some clarity on what the recommended approach is ? Here are the excerpts: http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-3 The client identifier is not a secret, it is exposed to the resource owner, and MUST NOT be used alone for client authentication. Client authentication is accomplished via additional means such as a matching client password. http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-4.2 Example: GET /authorize?response_type=token&*client_id*=s6BhdRkqt 3&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com Thanks Monica
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
