The last sentence is intended to say that any form of client authentication that the AS supports (including none) can be used with an assertion grant. It's a general policy statement and doesn't mean that more than one type of client authentication can be used in a single request. That "The client MUST NOT use more than one authentication method in each request" and other requirements from draft-ietf-oauth-v2 still apply.
Could this be worded differently to be more clear? On Thu, Sep 13, 2012 at 4:26 AM, Willem van Engen <[email protected]> wrote: > On 12-09-12 21:58, Brian Campbell wrote: >> >> "Client assertion authentication is nothing more than an alternative >> way for a client to authenticate to the token endpoint and must be >> used in conjunction with some grant type to form a complete and >> meaningful protocol request. Assertion authorization grants may be >> used with or without client authentication or identification. Whether >> or not client authentication is needed in conjunction with an >> assertion authorization grant, as well as the supported types of >> client authentication, are a policy decisions at the discretion of the >> authorization server." > > The last sentence appears to leave some space for client assertion > authentication to be used with other forms of client authentication. Is this > intended, as it appears to go contrary to "The client MUST NOT use more than > one authentication method in each request" in [1] ? > > Regards, > - Willem > > [1] http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-2.3 > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
