How should HTTP Basic be used for a client not in possession of a client secret?
On Mon, Jul 25, 2011 at 10:25 AM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > client_id is only required on the authorization endpoint, not the token > endpoint. -18 cleaned up how the document talked about client authentication > in general. So you should remove client_id from your draft and instead > mention client authentication (if appropriate). > > EHL > >> -----Original Message----- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of Brian Campbell >> Sent: Monday, July 25, 2011 7:02 AM >> To: oauth >> Subject: [OAUTH-WG] treatment of client_id for authentication and >> identification >> >> I need to revisit a question that came up about two months ago. I thought I >> had a clear understanding of when client_id was and wasn't included in >> access token requests but drafts 18/19 seemed to have changed things (or >> my understanding of 16 was wrong). >> >> >> The question is, when is client_id a required parameter on requests to the >> token endpoint and when can/should it be omitted? >> >> In -16 I was under the impression that client_id was always to be included >> even when using HTTP Basic or other means of authentication. >> See http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-3.1 and >> http://www.ietf.org/mail-archive/web/oauth/current/msg06328.html for >> example. >> >> But the text and examples in -18/-19 would suggest that client_id is to be >> omitted when using HTTP Basic. Text in >> http://tools.ietf.org/html/draft-ietf-oauth-v2-19#section-2.4.1 and example >> in http://tools.ietf.org/html/draft-ietf-oauth-v2-19#section-4.1.3 >> >> I don't have a strong preference for either direction but do feel it needs to >> be more explicitly spelled out. Scenarios that should be accounted for are, >> for both clients in possession of a client password and clients without, >> using >> client_id/client_secret, using HTTP Basic and using other means of >> authentication/identification. >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
