Web clients are expected to have secrets or to have otherwise registered with the AS. In order for them to use those secrets, they need to know the AS URL.
Cheers, Brian On Tue, Apr 6, 2010 at 1:23 AM, Eran Hammer-Lahav <[email protected]> wrote: > Why? > > > On 4/6/10 12:58 AM, "Brian Eaton" <[email protected]> wrote: > > On Tue, Apr 6, 2010 at 12:47 AM, Eran Hammer-Lahav <[email protected]> > wrote: >> That’s the same as what I have in the draft, only with a single endpoint >> instead of two. Since we already have a ‘mode’ parameter (which I am >> renaming to ‘type’), that single endpoint can speak more than one flow. > > Note that the discovery flow I outlined only works for rich clients, > and is completely insecure for other types of clients. > > In another thread Leif mentioned similar concerns. I think they are > justified. > > Cheers, > Brian > > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
