2013/2/13 Justin Richer <jric...@mitre.org>: > > On 02/12/2013 11:30 AM, John Bradley wrote: >> >> To some extent we want the server to have the flexibility it needs. >> >> If the server knows it is going to need client_id for GET it needs to >> encode it in the resource URI ether as part of the path or as a query >> parameter (that is up to the server) >> >> When doing updates the client MUST include the client_id as an additional >> integrity check. Some servers may switch on that but that is up to them. > > So if by this you mean that the client still simply follows whatever update > url the server hands it (which may or may not include the client_id in some > form, but the client doesn't care), and that the client MUST include its > client_id in the request body (top-level member of a JSON object, at the > moment) when doing a PUT (or POST/PATCH? see below) for the update action, > then I'm totally fine with that. Is this what you're suggesting?
As far as I understand, yes. That is what we discussed last Thursday face to face. -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
