> > This rather implies that we're specifying running a full server on port 80 > as a "stupid detector". We should tread carefully here. >
Right, I suppose you're better off not responding on port 80 if possible. But I imagine this could be phrased in Section 5.0 roughly, "if the resource server is available over an insecure channel, but does not honor insecure requests to protected resources, it SHOULD/MUST respond to insecure requests by invalidating the token and returning an invalid_request error." > > > +1 for language in the spec describing how to handle this case > > > > On Wed, Oct 13, 2010 at 4:12 PM, Jeff Lindsay <[email protected]> > > wrote: > > >> Hopefully you also invalidate the token (if bearer) since it was > > send over > > >> an insecure channel. > > > > > > Excuse my naivety, but perhaps that's worth putting in the spec? >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
