Eran: > > I would like to go back to requiring client authentication for the access token endpoint
Brian: > Sure. Why not? > > 1) It makes the spec simpler. > 2) It has no impact on the security of clients that can't keep secrets. > 3) It has no impact on the security of clients that can keep secrets. Brain - can you elaborate on that a little? Are you suggesting that clients that can't keep secrets use a dummy (notasecret) pwd anyway to satisfy "requiring client authentication"? I can't see any point in the spec saying client authentication is required if it doesn't add value in a way that can be explained to everyone (eg. what you said in http://www.ietf.org/mail-archive/web/oauth/current/msg06362.html about rolling over the client secret to deal with compromised refresh tokens). What seems to be missing in the discussion and the security considerations of the spec is a decent list of general and grant-type-specific security implications/pros/cons for the system if meaningful client authentication at the token endpoint is available or not available. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
