Hi all, working on the proposed text for the OAuth assertions draft I noticed an interesting aspect in the core specification regarding Section 11.2.1, which defines the registration template for OAuth parameters.
The template lists all possible usage locations of parameters, namely authorization request, authorization response, token request, or token response. Here is the first issue: these locations are not defined anywhere in the document and so one can only guess to what part of the protocol exchange they belong. I agree that it may not be very difficult to guess but obviously it is not completely obvious. It would have been nice if there is actually a match with Figure 1, for example. http://tools.ietf.org/html/draft-ietf-oauth-assertions-03, for example, uses a location that is not in the above list, namely 'client authentication'. Client authentication can also happen in the interaction between the client and the resource server but the exchanges are not part of the allowed list of usage locations. Ciao Hannes _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
