The client does need to know how to authenticate. But given that it already has to know a lot about the service, you would think acceptable authentication types are well known to the client.
What is the problem with the client authenticating like any normal web service client? (IE outside of oauth) Why involve oauth in any authentication for User or client? I have some thoughts but interested in yours. Phil Sent from my phone. On 2011-01-20, at 13:38, Marius Scurtescu <[email protected]> wrote: > On Thu, Jan 20, 2011 at 1:25 PM, Brian Campbell > <[email protected]> wrote: >> I'd argue that, for reliable interoperability, both of those cases would >> require an extension or at least some level of agreement about the format >> and validation rules of the assertion. > > I do agree that an extension would be useful for the second case, but > I don't think the client needs to know about it. I think it is > somewhat similar with the situation of the scope parameter. > > Marius > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
