Yeah, I had just sort of being going off the assumption that client_id is required & client_secret is not but, looking at -15 again, I agree that it's not entirely obvious. There's the text at the end of section 3 that say allows for unauthenticated clients. Then in 3.1 both client_id & client_secret are marked as required. So, while it says unauthenticated clients are allowed, it's not fully clear how they are supposed to work or what parameters they should present.
Along the same lines, can an unauthenticated client use HTTP Basic as shown in section 3.2 to present only the client_id? Would that just amount to using an empty string in place of a password? So something like some_client_id: would end up as the header, Authorization: Basic c29tZV9jbGllbnRfaWQ6 ? On Mon, May 16, 2011 at 11:18 AM, Vlad Skvortsov <v...@aboutecho.com> wrote: > > On Fri, May 13, 2011 at 04:15:17PM -0700, Eran Hammer-Lahav wrote: > > The client_id is required. client_secret is not. > > Ok, thanks! This might deserve a clarification in the spec though — not > obvious. > > > > > EHL > > > > On May 13, 2011, at 16:00, "Vlad Skvortsov" <v...@aboutecho.com> wrote: > > > > > Hi, > > > > > > a have a question regarding unauthenticated requests to a token endpoint > > > in OAuth 2.0. The spec v2-15 section 3 says[1] that "the authorization > > > server MAY allow unauthenticated access token requests when the client > > > identity does not matter". Does that mean omitting "client_id" and > > > "client_secret" parameters altogether? > > > > > > In our setting there are two types of clients: regular clients with > > > proper credentials (username/password) and JavaScript clients working > > > anonymously. The server is supposed to grant different permissions to > > > these groups of clients based on the authentication method used. > > > > > > It's not clear from the spec how the anonymous access should be > > > requested. Please advice! > > > > > > Thanks! > > > > > > [1]: http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-3 > > > > > > -- > > > Vlad Skvortsov, VP Engineering Echo, v...@aboutecho.com > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org > > > https://www.ietf.org/mailman/listinfo/oauth > > -- > Vlad Skvortsov, v...@aboutecho.com > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
