I'm still catching up... but to this point specifically...
Doesn't this require that the same client_id NOT be used simultaneously at two (or more) Authorization Servers? If so, I don't believe that is a viable option. It's a little late in the game to be putting requirements on the AS as to how it generates it's client_id.
Thanks, George On 1/25/16 9:11 AM, John Bradley wrote:
Returning the iss and client_id from the authorization endpoint per Mike’s draft allows the client to reject the authorization response and not leak the code.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
