Ø What is the reasoning behind the lack of a client_id parameter in requests to protected resources?
When the client app is acting on its own behalf (with the app's own long-term credentials)... the client_id is included as part of authenticating the client app (as a query/form parameter, or as the user-id field in a "Authorization: BASIC" header, or in any other authentication mechanism). When the client app is acting on behalf of a user (with credentials from an OAuth token response)... the client_id is NOT included. The credentials from the token response are sufficient. Adding client_id here is unnecessary (the server can include it in the token if it is convenient for protected resources), and harmful (it means the protocol that uses the credentials from the token response cannot look like a normal authentication protocol). -- James Manger
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
