Can anyone please help me understand how these two sentences do not contradict?
>From section 2.2 Client Identifier > The client identifier is not a secret, it is exposed to the resource > owner, and *MUST NOT be used alone* for client authentication. >From section 3.2.1 Client Authentication > > A public client that was not issued a client password MAY use the > client_id request parameter to identify itself when sending requests to > the token endpoint. Thanks. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
