Hello, Do you have any plan to define a rule as to which client authentication method should be used at the device authorization endpoint (which is defined in OAuth 2.0 Device Authorization Grant <https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/?include_text=1> )?
Section 4 of CIBA <https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html>, which has incorporated some ideas/rules/parameters from Device Flow, says as follows. *The token_endpoint_auth_method indicates the registered authentication method for the client to use when making direct requests to the OP, including requests to both the token endpoint and the backchannel authentication endpoint.* This means that a backchannel authentication endpoint in CIBA (which corresponds to a device authorization endpoint in Device Flow) performs client authentication using the client authentication method specified by the token_endpoint_auth_method metadata of the client. I'd like to know if you have any plan to explicitly add a description like above into the specification of OAuth 2.0 Device Authorization Grant. Best Regards, Takahiko Kawasaki Authlete, Inc.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
