Agree Sergey. That line of thinking is largely why https://tools.ietf.org/html/draft-campbell-oauth-sts utilizes normal OAuth client authentication.
On Wed, Jul 8, 2015 at 3:26 AM, Sergey Beryozkin <[email protected]> wrote: > > On 08/07/15 01:41, Mike Jones wrote: > >> [...] That’s why the WG draft uses a JWT as the request – so >> a signature can be applied to the request, when appropriate. (And when >> it’s not needed, “alg”: “none” can be used.) >> >> > The requester is a client talking to the token endpoint and this client > needs to authenticate, why it needs to sign the token-exchange related > parts too ? > > Thanks, Sergey >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
