I just noticed that some words were missing in my previous post. Here is the full text that Eran requested:
Allowing unauthenticated access to the token endpoint by public clients has security ramifications. So does issuing refresh tokens to public clients. Such security ramifications MUST be considered. See section 10 for further details. Huilan > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Lu, > Hui-Lan (Huilan) > Sent: Thursday, August 18, 2011 5:47 PM > To: 'Eran Hammer-Lahav'; Brian Campbell > Cc: oauth > Subject: Re: [OAUTH-WG] treatment of client_id for authentication and > identification > > > > It is difficult to parse the last sentence of 3.2.1: "The security > > > ramifications of > > > allowing unauthenticated access by public clients to the token endpoint > > > MUST be considered, as well as the issuance of refresh tokens to public > > > clients, their scope, and lifetime." > > > > > > I think it should be rewritten and reference relevant parts of security > > > considerations. > > > > Text? > > > > EHL > > Here is my stab: > Allowing unauthenticated access by public clients has security ramifications. > So does > the issuance of refresh tokens to public clients. Such security ramifications > MUST be > considered. See section 10 for further details. > > Huilan > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
