Think that there are three different types of clients: confidential; public; and anonymous (my term).
Confidential: id and secret; Public: id only; Anonymous: no credentials; You provide the type of credentials that you can, and the protected endpoint will accept or reject based on the operation and its protections. Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton, MA 01460-1250 1-978-899-4705 2-276-4705 (T/L) lainh...@us.ibm.com From: Martin Ždila <m.zd...@mwaysolutions.com> To: oauth@ietf.org, Date: 08/30/2013 03:42 AM Subject: [OAUTH-WG] Unclear parts in OAuth 2.0 specification Sent by: oauth-boun...@ietf.org Hello There are some unclear parts in OAuth 2.0 specification. 1. In 4.3. (B) there is following statement: When making the request, the client authenticates with the authorization server. In 4.3.2 there is following statement: If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1. First statement states that client credentials must be always passed. Second states that it is required only for certain client types. Also, if client type doesn't provide credentials, there is no mean to identify it and so impossible to check if client credentials were actually required. 2. Authorization Code Grant and Implicit Grant use different URL part to encode its response. Former uses query and later fragment. If request has invalid or is missing response_type parameter then user agent should be redirected to URL with error response where error=unsupported_response_type. But if we don't know what type of grant we are handling, where to put error parameters? To query or fragment part of the URL? Please clarify that. Thanks in advance Best regards -- Ing. Martin Ždila Senior Analyst / Developer M-Way Solutions Slovakia s.r.o. Letná 27, 040 01 Košice Slovakia tel:+421-908-363-848 mailto:m.zd...@mwaysolutions.com http://www.mwaysolutions.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
