Justin,
> The important thing is the logical distinction between
> "place where the client goes" and "place where the client sends an end
> user", and that those don't get folded into each other.
I certainly don't want to fold those two together.
The issue is whether the spec should fold together
I like the organization of the spec with its grant types structure. In
my reading of it, the two endpoints are logical and may be presented
from different URLs and crunched on by several processing engines in the
background. The important thing is the logical distinction between
"place where the cl
OAuth2 now defines a single URI - the token endpoint - that has to be capable
of processing:
* State from a user approval interaction (encoded into a 'code'
parameter);
* User passwords;
* Client app credentials;
* SAML tokens;
* JSON Web Tokens (JWT);
