On 05/17/2013 07:29 PM, Phil Hunt wrote:
He's saying every client gets a registration token and a client token.
What's a "client token", exactly? There are three potential places for
OAuth tokens in and around dynamic registration, and none of them are
called "client token".
1) The registration access token, which binds a "client" (or "instance
of a client", if you will) to a set of registration information at a
specific authorization server. The client uses this to call its Client
Information Endpoint to do updates, refreshes, and potentially delete
itself. This token is *only* good at this Client Information Endpoint,
and nowhere else. This token is specific to the registration it represents.
2) The (optional) initial token used to authenticate to the Client
Registration Endpoint. This is *not* the registration access token, and
it is *not* used to access the Client Information Endpoint. How the
client or developer get this token is out of scope. How the registration
server validates this token is out of scope. The structure and contents
of this token are out of scope.
3) The access/refresh tokens that a registered client eventually gets
from the Token Endpoint and uses with protected resources. These tokens
aren't used at the Client Registration Endpoint or at the Client
Information Endpoint.
There are also a couple of related concepts that aren't tokens at all:
4) The client_id, which is issued to a "client" (or "client instance")
by the authorization server. This must be unique at the auth server for
each client instance. The client uses this client_id at the
Authorization Endpoint and the Token Endpoint in normal OAuth flows.
5) The client_secret, which is issued to a "client" (or "client
instance") by the auth server, for confidential clients (ie: clients
that can protect their client_secret). This is used by the client to
authenticate to the Token Endpoint and nowhere else.
Which of these do you mean by a "client token"?
-- Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth