On Mon, Apr 4, 2011 at 4:14 PM, Skylar Woodward <sky...@kiva.org> wrote:
> In our implementation (not yet public) we accept the empty string ("") as the
> value for clients not issued secrets. While this was done to simplify the
> interface and implementation, it would make it compliant in my view. In this
> case, the authorization server is validating the credentials, which are the
> client ID and the empty string, which is equivalent security-wise to any
> other length of "secret" issued to a native client.
I am splitting hairs now, but according to the spec an empty parameter
value should be treated the same as if the parameter was not sent at
all. So, empty secret violates the requirement for the parameter to be
present.
Marius
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
