Identification isn't authentication. A public client can identify itself for the purpose of providing user context, statistics, etc.
EH From: [email protected] [mailto:[email protected]] On Behalf Of Andrew Arnott Sent: Sunday, February 12, 2012 8:22 PM To: OAuth WG ([email protected]) Subject: [OAUTH-WG] Reconciling section 2.2 with 3.2.1 Can anyone please help me understand how these two sentences do not contradict? >From section 2.2 Client Identifier The client identifier is not a secret, it is exposed to the resource owner, and MUST NOT be used alone for client authentication. >From section 3.2.1 Client Authentication A public client that was not issued a client password MAY use the client_id request parameter to identify itself when sending requests to the token endpoint. Thanks. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
