> -----Original Message----- > From: Brian Eaton [mailto:bea...@google.com] > Sent: Wednesday, June 15, 2011 1:53 PM > To: Eran Hammer-Lahav > Cc: Brian Campbell; OAuth WG > Subject: Re: [OAUTH-WG] Client authentication requirement > > > We have one grant type without client authentication (implicit) > > I suspect another choice of words would be useful there. Implicit grants rely > on the browser's authentication of the receiving web site. When https is > used, that authentication is fairly strong.
"authentication of the receiving web site"? Authentication how, and what is a receiving web site? The implicit grant relies on the presence of the user to "vouch" for the client by making the connection of how it got to the authorization server and what she is being asked to approve. In other words, the user does something that lands her in front an authorization page. If that page makes sense to her in that flow, she approves access to the party that got her there. What does HTTPS has to do with this? EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
