Should implementors of OAuth libraries enforce that an assertion belongs to
a particular client?
E.g.: if there are two clients cA and cB, and cA gets issued an assertion
foo, can cB then use foo to obtain an access token at the token endpoint?
thanks
lvh
_
Thanks Thomas,
With respect to
https://datatracker.ietf.org/doc/draft-campbell-oauth-saml/, I'm
planning on updating it to come inline with draft -11 when it's
published as well as a couple other updates related to subject conf
and subject that have been discussed on this list. As it stands, I'm
Hannes,
I strongly believe that SAML support in Outh2.0 and "SAML-interoperability" is
crucial in getting Oauth accepted and deployed in high-assurance (high-value)
environments (eg. government, financials).
As such, if its ok with Brian, I would be willing to either co-author or review
the S
Hi!
2010/9/12 David Recordon
> I'd like to see us finish Core before considering re-chartering. :)
>
> But to your original question. I'm interested in the UX extension (said I'd
> edit), device flow (said I'd edit), and the OpenID Connect work which
> encompasses dynamic registration and likely
> Kris - Can you clarify why phones can't protect the client secret? This
> sounds like it would be a major issue for a lot of people.
Mobile apps on phones like iPhone are installed apps, and it is not possible as
far as I know to prevent the client secret from being extracted – you have to
