Hello There are some unclear parts in OAuth 2.0 specification.
*1.* In 4.3. (B) there is following statement: When making the request, the client authenticates with the authorization server. In 4.3.2 there is following statement: If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1 <http://tools.ietf.org/html/rfc6749#section-3.2.1>. First statement states that client credentials must be always passed. Second states that it is required only for certain client types. Also, if client type doesn't provide credentials, there is no mean to identify it and so impossible to check if client credentials were actually required. *2.* Authorization Code Grant and Implicit Grant use different URL part to encode its response. Former uses query and later fragment. If request has invalid or is missing response_type parameter then user agent should be redirected to URL with error response where error=unsupported_response_type. But if we don't know what type of grant we are handling, where to put error parameters? To query or fragment part of the URL? Please clarify that. Thanks in advance Best regards -- Ing. Martin Ždila Senior Analyst / Developer M-Way Solutions Slovakia s.r.o. Letná 27, 040 01 Košice Slovakia tel:+421-908-363-848 mailto:m.zd...@mwaysolutions.com http://www.mwaysolutions.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
