On 4/14/10 5:23 PM, "Marius Scurtescu" <[email protected]> wrote:
> The client_secret would have to be optional then. This may be needed
> anyhow to support an "unregistered" Web Callback flow.
>
> Also, the callback URL may need to be optional, because some native
> apps cannot receive a callback. The Authz Server will have to show a
> page with the verification code in this case.
At some point all these optional parameters make the flow useless because it
loses all interop value. It becomes a developer guide instead of a spec.
Unregistered clients should be solved by other means than just making the
secret parameter optional (i.e. Issue an anonymous client identifier and
fixed of blank secret). The secret value can be empty anyway (there is no
text requiring it to be something other than an empty string).
The callback URI is optional already if it was established via other means,
but the server MUST be able to accept this parameter (allowing the client to
drop it as a special case doesn't hurt interop).
EHL
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
