On 12-09-12 21:58, Brian Campbell wrote:
"Client assertion authentication is nothing more than an alternative
way for a client to authenticate to the token endpoint and must be
used in conjunction with some grant type to form a complete and
meaningful protocol request. Assertion authorization grants may be
used with or without client authentication or identification. Whether
or not client authentication is needed in conjunction with an
assertion authorization grant, as well as the supported types of
client authentication, are a policy decisions at the discretion of the
authorization server."
The last sentence appears to leave some space for client assertion
authentication to be used with other forms of client authentication. Is
this intended, as it appears to go contrary to "The client MUST NOT use
more than one authentication method in each request" in [1] ?
Regards,
- Willem
[1] http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-2.3
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
