If you have two components each with different security profile, you must assign each a different client_id. Otherwise, there is no way to enforce the rest of the spec's security requirements.
EH > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of nov matake > Sent: Sunday, March 11, 2012 8:25 AM > To: [email protected] WG > Subject: [OAUTH-WG] Clarification of "client application consisting of > multiple > components" > > Hi, > > I just found this sentence in the latest draft. > > Does it mean "an application consisting of server-side and client-side > component (eg. foursquare iPhone app) MUST have separate client_id for > each component" ? > Or can I image something like Facebook is doing right now? (register each > component for a single client_id separately) > > == > A client application consisting of multiple components, each with its own > client type (e.g. a distributed client with both a confidential server-based > component and a public browser-based component), MUST register each > component separately as a different client to ensure proper handling by the > authorization server. The authorization server MAY provider tools to manage > such complex clients through a single administration interface. > == > > -- > nov <[email protected]> > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
