On Thu, Jun 16, 2011 at 8:48 AM, Thomas Hardjono <hardj...@mit.edu> wrote:
> >>> Requiring client authentication doesn't defend against > >>> attacks directly; it makes recovery after a successful > >>> attack easier. > > I presume you mean direct attacks on the authorization server. > Also attacks on the clients. > But wouldn't requiring OAuth clients to authenticate (in > some manner to the authorization server) at least reduce > the opportunity for DOS attacks to the authorization server. > One more reason to use client authentication for the access token endpoint.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth