On Thu, Jun 2, 2011 at 3:01 PM, Peter Saint-Andre <[email protected]>wrote:
> I think I might have misunderstood that text -- I took it to be talking > about the client's authentication with the authorization server, not the > client's authentication with the resource server. No, you understand perfectly. We're talking about giving extremely powerful and near-permanent credentials to clients we can't authenticate. We're pretty sure this is a good idea. =) We authenticate the user and get their consent. If they say yes, the client gets something that is almost, but not quite, equivalent to an alternate password for the user.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
