Brian Eaton <bea...@google.com> wrote on 16-06-2011 10:36:18 AM:
> From: Brian Eaton <bea...@google.com> > To: Shane B Weeden/Australia/IBM@IBMAU > Cc: OAuth WG <oauth@ietf.org> > Date: 16-06-11 10:49 AM > Subject: Re: [OAUTH-WG] Client authentication requirement > > On Wed, Jun 15, 2011 at 3:50 PM, Shane B Weeden <swee...@au1.ibm.com> wrote: > Brain - can you elaborate on that a little? Are you suggesting that clients > that can't keep secrets use a dummy (notasecret) pwd anyway to satisfy > "requiring client authentication"? > > Or use random secrets. Whatever floats your boat and keeps your > product managers happy. It does not make a practical security > difference for installed applications. That is the same thing as not requiring client authentication at all (for installed applications). Having the spec say client authentication is REQUIRED for the token endpoint is therefore misleading and nonsensical. > > What seems to be missing in the discussion and the security considerations > of the spec is a decent list of general and grant-type-specific security > implications/pros/cons for the system if meaningful client authentication > at the token endpoint is available or not available. > > Yep. I believe this piece of work would go a long way to settling the disputes about when/why/if client authentication should be required at the token endpoint. For example I would like to see attempts to answer this question: If client authentication is not possible or required at the token endpoint for native/installed apps, what advantages are gained from requiring it for clients that can authenticate? _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
