Hi Eran,
OAuth 1.0 was highly criticized for failing to address client identity
in public clients. I believe OAuth 2.0 offers a much better story,
within the boundaries>of what’s possible today.
Agreed. I think we must honestly discuss the value of client
authentication/identification itself. I personally think it is over-emphazised
right now. The strength of OAuth 2.0 is that it allows solutions where neither
client nor resource server have access or do store end-user credentials.
Client authentication is nice but not the main feature.
Do you have any specific suggestions not already mentioned on the list?
I would suggest to mention that while an invalid redirect_uri indicates
a counterfeit clients a valid redirect does not prove the calling
client's identity.
regards,
Torsten.
EHL
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
