> > The main question for me is: "What is mandatory to implement?" > > Nothing. The authorization server can support whatever client > authentication methods it deems appropriate. *IF* client > password credentials are supported, then the spec offers one > way to provide them using parameters. The reason why this is > not that important is that there is no real interop as it > currently stands because the process of obtaining these > client credentials is out of scope.
In order to deploy Oauth one has to consider a number of components. Today, many of them require proprietary mechanisms and steps executed out-of-band. My hope, however, is that we (as part of this standardization work) improve interoperability and thereby reduce the number of proprietary components. This topic seems to be one where standardization could indeed be helpful. Wouldn't you agree? Ciao Hannes _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
