Hi Eran,
would you please add the following sentence (which was contained in the
original security considerations text) to the second paragraph of
section 1.0.1?
Alternatively, authorization servers MUST utilize
other means than client authentication to achieve their security
objectives.
I think it's important to state that authorization server should
consider alternative way to validate the client identity if secrets
cannot be used. The security threat document also suggest some.
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
