This line was left over from an earlier draft. It's now removed. It may reappear in the security considerations section.
EHL > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Craig Heath > Sent: Thursday, March 10, 2011 10:33 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] Implicit Grant Client Authentication > > I'm sure this has been gone over before, so apologies for that, but I haven't > found a clear answer (is there a better way than just Google to search the > mailing list archive, by the way?) > > I've been puzzling over this text in 4.2: "... the authentication of the > client is > based on the user-agent's same-origin policy." > > I get that the client can't be provisioned with secret credentials and that's > why we're using this flow, but I'm puzzled by the implication that it might > still > be possible to authenticate the client. Isn't the point of this flow that you > can't? > > Specifically, how would you verify that the request is coming from a user > agent that even has a same-origin policy? > > Thanks! > > - Craig. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
