On Sat, Jul 17, 2010 at 8:52 AM, Luke Shepard <[email protected]> wrote: > As far as consistency, it is just a little weird to call it "client password" > in one > part of the spec, when it's defined as "client secret" elsewhere.
Agreed, we could be more consistent. The value we're talking about is the same in all of the flows, no sense in switching terminology. I prefer client_password, because "password", for me, evokes all the right kinds of security concerns. Password storage, encryption on the wire, etc... I'm less happy with client_secret, though I can certainly live with it. My main concern with client_secret is that people might confuse it with a signing secret. The value is not used for signing. If we are going to have flows where clients have secrets that are used for cryptographic authentication, then I would want to call those "keys" instead. > How about just "client_only" ? That would be fine by me. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
