On Mon, Apr 4, 2011 at 4:14 PM, Skylar Woodward <[email protected]> wrote: > In our implementation (not yet public) we accept the empty string ("") as the > value for clients not issued secrets. While this was done to simplify the > interface and implementation, it would make it compliant in my view. In this > case, the authorization server is validating the credentials, which are the > client ID and the empty string, which is equivalent security-wise to any > other length of "secret" issued to a native client.
I am splitting hairs now, but according to the spec an empty parameter value should be treated the same as if the parameter was not sent at all. So, empty secret violates the requirement for the parameter to be present. Marius _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
