Yes Sergey, it's to allow for support of unregistered clients. Typically such clients will have some relationship established with a security token service (STS) where they can obtain assertion grants and the AS trusts the STS to issue such assertions. In that kind of scenario, the identity of the client can be considered unimportant - what's important is that the AS trusts the STS and in turn the STS trusted the client enough to issues it a suitable assertion.
On Thu, May 15, 2014 at 10:41 AM, Sergey Beryozkin <[email protected]>wrote: > Hi > > I'm reviewing the way client authentication is expected to be done when > either SAML or JWT bearer assertion is used as a grant [1] which > corresponds to the case described in [2]. > > [1] says: "Authentication of the client is optional...". > > Can someone please clarify how it can be optional given that in this case > a subject of the assertion does not identify a client ? Is it about > supporting unregistered clients which have managed to obtain somehow the > assertion grants ? > > Thanks, Sergey > > [1] http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-4.1 > [2] http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3 > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
