Yeah, in general the client identification/authentication is independent from the grant being presented. There may be policy (maybe unidentified clients aren't allowed) or other protocol details (like some kind of HoK bound to the client, though that doesn't exist yet) that dictate more requirements on the client identifier. But in the general case they are independent and the client_id is not required.
On Mon, Feb 18, 2013 at 5:58 PM, Mike Jones <michael.jo...@microsoft.com>wrote: > The client_id value and the access token value are independent.**** > > ** ** > > -- Mike*** > * > > ** ** > > *From:* oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On Behalf > Of *Lewis Adam-CAL022 > *Sent:* Monday, February 18, 2013 2:50 PM > *To:* oauth@ietf.org WG > *Subject:* [OAUTH-WG] JWT grant_type and client_id**** > > ** ** > > ** ** > > Is there any guidance on the usage of client_id when using the JWT > assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes no > mention so I assume that it is not required … but it would be necessary if > using in conjunction with a HOK profile where the JWT assertion is issued > to – and may only be used by – the intended client. Obviously this is > straight forward enough, really I’m just looking to be sure that I’m not > missing anything.**** > > ** ** > > tx**** > > adam**** > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
