On Jun 29, 2012, at 11:06 AM, John Bradley wrote: > It is nice to know that I may occasionally be correct:)
You must be delighted when it happens! ;) > While you may assume that it is reasonable for a client with a code to make a > request to the token endpoint including it's client_id and the server to only > give out the access token if the client_id in the token request matches the > one in the original authorization request. However the spec specifically > doesn't require that. I think that is an error in the spec and should be changed, or text adding saying that the client_id SHOULD be checked. -- Dick _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
