Agree Sergey. That line of thinking is largely why https://tools.ietf.org/html/draft-campbell-oauth-sts utilizes normal OAuth client authentication.
On Wed, Jul 8, 2015 at 3:26 AM, Sergey Beryozkin <sberyoz...@gmail.com> wrote: > > On 08/07/15 01:41, Mike Jones wrote: > >> [...] That’s why the WG draft uses a JWT as the request – so >> a signature can be applied to the request, when appropriate. (And when >> it’s not needed, “alg”: “none” can be used.) >> >> > The requester is a client talking to the token endpoint and this client > needs to authenticate, why it needs to sign the token-exchange related > parts too ? > > Thanks, Sergey >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth