On Wed, Jan 26, 2011 at 9:07 AM, Eran Hammer-Lahav <[email protected]> wrote:
> Can you share an actual example of how you are authenticating *both* the
> resource owner and client in a single request?
That's not a business requirement.
So the desired flow goes like this:
kerberos (or other magic sauce) authentication -> access token
not like this:
client authentication + kerberos authentication -> access token
and definitely not like this:
client authentication + kerberos authentication -> refresh token
If we did see a need to authenticate the client, we would use the same
mechanisms as normal: client_id and client_secret, or else
client_assertion.
(Curious to know if other people looking at these problems break it
down the same way.)
Cheers,
Brian
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
