On Mon, Jul 26, 2010 at 2:08 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > I understand that in many assertions, the client identifier is established > internally, but this approach will completely prevent using the assertion > client authentication method with other flows that involve getting a code.
I'm pretty sure that's exactly the opposite of what Yaron was trying to achieve. client_id will continue to be passed on the authorization URL. No client_id will be passed on the token endpoint, because it's either insecure, or not necessary. The assertion has to contain the client identifier. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth