On 37-01--10 11:59 AM, Brian Campbell wrote:
Yeah, I had just sort of being going off the assumption that
client_id is required& client_secret is not but, looking at -15
again, I agree that it's not entirely obvious. There's the text at
the end of section 3 that say allows for unauthenticated clients.
Then in 3.1 both client_id& client_secret are marked as required.
So, while it says unauthenticated clients are allowed, it's not fully
clear how they are supposed to work or what parameters they should
present.
Agreed, this wasn't clear to me either.
As someone else pointed out, client_id is introduced in section 3.1; at
the same time the whole section 3.1 seems optional due to the MAY at its
beginning, and supported by the MAY in section 3.2.
Section 3's introduction is ambiguous, specifically this part:
For readability purposes only, this specification is
written under the assumption that the authorization
server requires some form of client authentication.
However, such language does not affect the
authorization server's discretion in allowing
unauthenticated client requests.
The language here seems to overrule some of the RFC2119 MUSTs (sections
4.1.3, 4.3.2):
The authorization server MUST:
o Validate the client credentials
But not others that an authentication server that wishes to allow
unauthenticated clients may expect -- the client_id/client_secret not
being REQUIRED.
Johnny
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
