On 2021-02-25 3:41 a.m., Seán Kelleher wrote:
Yep, this is the big point - OAuth is designed to require the the
third leg of trust that creates the NxM problem.
I believe the snippet of Justin's that you quoted actually shows you
how you can forgo the trust element using dynamic client registration.
It still allows a "server" to identify requests and impose security
policies via the client ID, but without requiring the client author to
manually register the client in advance of using it (e.g. in the case
where the client author doesn't even know what servers the client is
going to be connecting to). You still need the client ID, but anyone
can get one whenever they need it.
Apologies if this a dumb question, but how would you discover the
dynamic client registration endpoint after getting a 401 unauthorized?
I couldn't really find anything in RFC7591 about this.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
