What is the reasoning behind the lack of a client_id parameter in requests to protected resources? Could it not add value if a resource server wanted to provide IP white-lisitng (in a server to server scenario), in that the resource server would not have to decrypt/look up the client before denying the request? Also, it would alleviate the need to create provider wide unique access token values. There is probably some security reasoning behind this that I don't understand...can someone kindly inform me? :-).
Thanks, ~pj _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
