On 2010-06-07, at 1:24 PM, Thomas Hardjono wrote: > What if the username/password (or PIN) was used to release a secret (located > in an OTP dongle) or to exercise a secret key (symmetric or asymmetric) > located in a smartcard or TPM chip? > > Reading Section 3.8, it seems it covers these cases already (or am I reading > the wrong section). In Figure 6, the “Client” would be the code contained in > the auth-device (or the code that invokes the underlying auth-device). > > Section 3.7 on device flows does not look as if it was written with these > portable auth-devices in mind.
Correct, it was not.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth