Hello Takahiko, Such language already exists in second to last paragraph of section 3.1. Like with CIBA the client’s regular token endpoint auth method is used at the device authorization endpoint.
> The client authentication requirements of Section 3.2.1 of [RFC6749] apply to > requests on this endpoint, which means that confidential clients (those that > have established client credentials) authenticate in the same manner as when > making requests to the token endpoint, and public clients provide the > "client_id" parameter to identify themselves. Odesláno z iPhonu 4. 6. 2019 v 4:10, Takahiko Kawasaki <t...@authlete.com>: > Hello, > > Do you have any plan to define a rule as to which client authentication > method should be used at the device authorization endpoint (which is defined > in OAuth 2.0 Device Authorization Grant)? > > Section 4 of CIBA, which has incorporated some ideas/rules/parameters from > Device Flow, says as follows. > > The token_endpoint_auth_method indicates the registered authentication method > for the client to use when making direct requests to the OP, including > requests to both the token endpoint and the backchannel authentication > endpoint. > > This means that a backchannel authentication endpoint in CIBA (which > corresponds to a device authorization endpoint in Device Flow) performs > client authentication using the client authentication method specified by the > token_endpoint_auth_method metadata of the client. > > I'd like to know if you have any plan to explicitly add a description like > above into the specification of OAuth 2.0 Device Authorization Grant. > > Best Regards, > Takahiko Kawasaki > Authlete, Inc. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
