All section 3 says is that you cannot use it alone for authentication. You can use it alone, but it is not considered authentication and the client identity is nothing more than a hint without other information you can validate.
EHL From: [email protected] [mailto:[email protected]] On Behalf Of Monica Wilkinson Sent: Tuesday, May 24, 2011 8:17 PM To: [email protected] Subject: [OAUTH-WG] Does Section 3 contradict Section 4.2 ? Recommendations for Native Apps Hey guys I am working the engineers at my company to roll out OAuth 2 support for mobile and desktop. One concern is Section 3 of the spec calling out the fact that client id should not be used by itself, however the implicit grant does just that. And the new native apps section does not provide pros and cons of each. Can we get some clarity on what the recommended approach is ? Here are the excerpts: http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-3 The client identifier is not a secret, it is exposed to the resource owner, and MUST NOT be used alone for client authentication. Client authentication is accomplished via additional means such as a matching client password. http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-4.2 Example: GET /authorize?response_type=token&client_id=s6BhdRkqt 3&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com<http://server.example.com> Thanks Monica
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
