On Mon, Jul 26, 2010 at 4:11 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > How do you link the client_id using in the authorization endpoint with the > client assertion using in the token endpoint?
In theory: "any document that defines how to use an assertion of a particular type with OAuth 2.0 MUST define how to map the value from the client_id parameter in the authorization request to a value or values in the assertion subsequently submitted with the code to obtain an access token." In practice: you do it the same way you handle any kind of identity assertion. There is some combination of issuer and subject and signature that ends up producing an identity that you trust. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth