Read 3.2. I believe you'll find an escape clause there.
Phil
phil.h...@oracle.com
On 2011-04-04, at 5:08 PM, Marius Scurtescu wrote:
> On Mon, Apr 4, 2011 at 4:14 PM, Skylar Woodward <sky...@kiva.org> wrote:
>> In our implementation (not yet public) we accept the empty string ("") as
>> the value for clients not issued secrets. While this was done to simplify
>> the interface and implementation, it would make it compliant in my view. In
>> this case, the authorization server is validating the credentials, which are
>> the client ID and the empty string, which is equivalent security-wise to any
>> other length of "secret" issued to a native client.
>
> I am splitting hairs now, but according to the spec an empty parameter
> value should be treated the same as if the parameter was not sent at
> all. So, empty secret violates the requirement for the parameter to be
> present.
>
> Marius
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
