In sections 4.1.3, 4.3.2, 4.4.2 and 6 there's a list of parameters included within the request and then the sentence, "The client includes its authentication credentials as described in Section 3." Reading through the spec yesterday afternoon with Paul, we first thought that client_secret was removed from these requests between drafts 10 and 16. This is because the list of parameters is quite obvious but this sentence referencing section 3 sort of just blends in.
We'd propose changing this sentence to read, "The client includes its authentication credentials as described in Section 3. Commonly the client_secret parameter." Goal being that client_secret is exposed within each section describing how to make a request in a way that holds true for most usage but doesn't make it more confusing for clients working with SAML (or other client authentication credentials). --David _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth