Compliant - sure. Smart - well, that depends on the use case. OAuth provide a very flexible framework (mostly because we could not agree more on restrictions). This means you can follow the spec and produce bad or insecure implementation. The spec does warn against such issues, and in the case of unregistered clients, leaves that out of scope (which means, it doesn't need to address any security issues involved).
EHL > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Todd W Lainhart > Sent: Tuesday, October 04, 2011 1:53 PM > To: OAuth Mailing List > Subject: [OAUTH-WG] Seeking clarity on Section 4.3 and the specification of > client credentials > > Although it seems like an abuse of the protocol, I'm wondering at Draft 22 as > a mechanism for providing authorization without specifying client credentials > (i.e. evaluating it as part of an SSO solution). > > Specifically, I'm referencing the scenario/flow in Section 4.3 ("Resource > Owner Password Credentials") where a callback_uri parameter is not > specified. Assume that the client type is "public". > > I'm also referencing Section 2.4, "Unregistered Clients", where the text says > that the spec does not exclude the use of unregistered clients (with the > appropriate disclaimers). > > Under these conditions then, can I then expect a spec-compliant > authorization server to not require client credentials when requesting an > access token? > > -- Todd > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
