As to the question of interoperability, the fact that OAuth allows freedom of choice to the AS for method of authentication makes this point moot. Would you agree? (short of various providers could pooling together to standardize on an auth method outside of the spec).
One possible standard for clients without the capability to protect secrets would be to just omit secrets. Do you agree?
And the spec itself could (should in my opinion) set this standard. regards, Torsten. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
