Fair enough. Thanks, Eran. Is that generally a clear distinction to the
rest of the community already, or should this distinction be described in
section 3.2.1?
On Sunday, February 12, 2012, Eran Hammer wrote:
> Identification isn’t authentication. A public client can identify itself
> for the
The text serves two purposes:
1. Warn client developers that the server may have a default scope and
that they should figure out what it is or what the scope requirements are
2. Make server developers aware that they should publish their default
scope of scope handling preferences.
It is a way of saying the AS doesn't need to return an error if scope is not
included, though it has the option to return an error if it has no default
scope.
However what the server may use as a default value us application specific.
e.g. the client may have registered a default scope or scop
In most cases, it will likely be a fixed value, but there's nothing
indicating that it can't be contextual. Especially in cases where you've
got public, confidential, and dynamically-registered clients all acting
on the same host, the default value will depend completely on what kind
of client
Hi all,
As some of you will have noticed Barry will be taking
over as an IETF applications area director in Paris
which means that he'll no longer be able to help out
as OAuth chair after that.
However, we've been quite lucky in that Derek Atkins
(cc'd) has agreed to help out along with Hannes
