Fair enough. Thanks, Eran. Is that generally a clear distinction to the rest of the community already, or should this distinction be described in section 3.2.1?
On Sunday, February 12, 2012, Eran Hammer wrote: > Identification isn’t authentication. A public client can identify itself > for the purpose of providing user context, statistics, etc.**** > > ** ** > > EH**** > > ** ** > > *From:* [email protected] <javascript:_e({}, 'cvml', > '[email protected]');> [mailto:[email protected]<javascript:_e({}, > 'cvml', '[email protected]');>] > *On Behalf Of *Andrew Arnott > *Sent:* Sunday, February 12, 2012 8:22 PM > *To:* OAuth WG ([email protected] <javascript:_e({}, 'cvml', > '[email protected]');>) > *Subject:* [OAUTH-WG] Reconciling section 2.2 with 3.2.1**** > > ** ** > > Can anyone please help me understand how these two sentences do not > contradict?**** > > ** ** > > From section 2.2 Client Identifier**** > > The client identifier is not a secret, it is exposed to the resource > owner, and *MUST NOT be used alone* for client authentication. **** > > ** ** > > From section 3.2.1 Client Authentication**** > > A public client that was not issued a client password MAY use the > client_id request parameter to identify itself when sending requests to > the token endpoint. **** > > ** ** > > Thanks.**** > > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre**** > -- -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
