On 6/1/11 1:06 PM, Brian Eaton wrote: > Hey Peter - > > I haven't read all of your comments yet, but I wanted to clarify one > point about client impersonation and installed apps. The cuirrent text > is unrealistic, but your request would push it the wrong way. CC'ing > Torsten as well. > > --------------------- > OLD: > The authorization server SHOULD issue access tokens with limited > scope and duration to clients incapable of authenticating. > > NEW: > If the authorization server issues access tokens to clients > that are incapable of authenticating, the scope and duration of > such tokens SHOULD be limited. > > RATIONALE: We're not actively RECOMMENDING authorization servers are to > issue such tokens, are we? > --------------------- > > We are most definitely recommending that clients that have no way of > authenticating are issued long-lived credentials to access user data.
I think I might have misunderstood that text -- I took it to be talking about the client's authentication with the authorization server, not the client's authentication with the resource server. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
