Agree Sergey. That line of thinking is largely why
https://tools.ietf.org/html/draft-campbell-oauth-sts utilizes normal OAuth
client authentication.

On Wed, Jul 8, 2015 at 3:26 AM, Sergey Beryozkin <sberyoz...@gmail.com>
wrote:

>
> On 08/07/15 01:41, Mike Jones wrote:
>
>>  [...] That’s why the WG draft uses a JWT as the request – so
>> a signature can be applied to the request, when appropriate.  (And when
>> it’s not needed, “alg”: “none” can be used.)
>>
>>
> The requester is a client talking to the token endpoint and this client
> needs to authenticate, why it needs to sign the token-exchange related
> parts too ?
>
> Thanks, Sergey
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to