Hi, the Online Media Authorization Protocol (OMAP) is a (as yet
unreleased) profile of OAuth 2.0 for online delivery of video content
based on a user's subscriptions (the TV Everywhere use case)
We want to support both server & native mobile clients. It is for the
second class of clients that I'd appreciate some clarification of
'confidentiality' as defined in OAuth 2.
OAuth 2 distinguishes confidential & public clients based on their
ability to secure the credentials they'd use to authenticate to an AS -
confidential clients can protect those credentials, public clients can't.
Notwithstanding the above definition, the spec gives a degree of
discretion to the AS
The client type designation is based on the authorization server's
definition of secure authentication and its acceptable exposure
levels of client credentials.
Give this discretion, is itpractical for the OMAP spec to stipulate that
'All Clients (both server & native mobile), MUST be confidential', ie
let each individual OMAP AS specify its own requirements of clients and
their ability to securely authenticate?
Is this consistent with the OAuth definition of confidentiality?
Thanks
Paul
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
