I agree, If there is no good reason for the token endpoint not to check the client_id with public clients then we should add that it SHOULD or MUST be checked for authorization_code and refresh_token grant_type.
Though I don't know if we want to get carried away with the whole agreeing thing. John B. On 2012-06-29, at 2:14 PM, Dick Hardt wrote: > > On Jun 29, 2012, at 11:06 AM, John Bradley wrote: > >> It is nice to know that I may occasionally be correct:) > > You must be delighted when it happens! ;) > >> While you may assume that it is reasonable for a client with a code to make >> a request to the token endpoint including it's client_id and the server to >> only give out the access token if the client_id in the token request matches >> the one in the original authorization request. However the spec >> specifically doesn't require that. > > I think that is an error in the spec and should be changed, or text adding > saying that the client_id SHOULD be checked. > > -- Dick
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
