Although it seems like an abuse of the protocol, I'm wondering at Draft 22
as a mechanism for providing authorization without specifying client
credentials (i.e. evaluating it as part of an SSO solution).
Specifically, I'm referencing the scenario/flow in Section 4.3 ("Resource
Owner Password Credentials") where a callback_uri parameter is not
specified. Assume that the client type is "public".
I'm also referencing Section 2.4, "Unregistered Clients", where the text
says that the spec does not exclude the use of unregistered clients (with
the appropriate disclaimers).
Under these conditions then, can I then expect a spec-compliant
authorization server to not require client credentials when requesting an
access token?
-- Todd
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
