On Fri, Oct 25, 2013 at 1:41 PM, Phil Hunt <phil.h...@oracle.com> wrote:
> Finally, I'm not sure who might be able to lead this (Tim?), but there was > some interesting views expressed by Google staffers at this weeks IIW in > Mountain View that seem to indicate that the need for client credentials in > mobile apps may not need to be as strong as we thought or needed at all. > This has interesting implications for the registration drafts we are > discussing. > We hear lots of developers saying they want to know for sure the identity of the client, and that’s what we use the azp claim in the ID Token for, but it’s very fragile in the face of a determined attacker, more so than the other claims. Not sure how much there is to talk about... > > > Phil > > @independentid > www.independentid.com > phil.h...@oracle.com > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
