It really depends on the requirements or policy of the authorization server. For the I-D I've been working on, https://datatracker.ietf.org/doc/draft-campbell-oauth-saml/, there's nothing that binds of the assertion to the client. So there's not a requirement for that enforcement nor is there really any information in the assertion that would make it possible.
Other profiles might be different in that regard and I'd think that any "client assertions" used for client authentication might directly identity the client and expect validation of such at the authz server. On Mon, Sep 13, 2010 at 1:10 PM, Laurens Van Houtven <l...@laurensvh.be> wrote: > Should implementors of OAuth libraries enforce that an assertion belongs to > a particular client? > E.g.: if there are two clients cA and cB, and cA gets issued an assertion > foo, can cB then use foo to obtain an access token at the token endpoint? > thanks > lvh > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth