So what is the usecase of response_type=token%20code ? I thought, in that usecase, token was for the client's client-side component, code was for the client's server-side component, and both of them have the same client_id.
-- nov On Mar 12, 2012, at 12:57 AM, Eran Hammer <e...@hueniverse.com> wrote: > If you have two components each with different security profile, you must > assign each a different client_id. Otherwise, there is no way to enforce the > rest of the spec's security requirements. > > EH > >> -----Original Message----- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of nov matake >> Sent: Sunday, March 11, 2012 8:25 AM >> To: oauth@ietf.org WG >> Subject: [OAUTH-WG] Clarification of "client application consisting of >> multiple >> components" >> >> Hi, >> >> I just found this sentence in the latest draft. >> >> Does it mean "an application consisting of server-side and client-side >> component (eg. foursquare iPhone app) MUST have separate client_id for >> each component" ? >> Or can I image something like Facebook is doing right now? (register each >> component for a single client_id separately) >> >> == >> A client application consisting of multiple components, each with its own >> client type (e.g. a distributed client with both a confidential server-based >> component and a public browser-based component), MUST register each >> component separately as a different client to ensure proper handling by the >> authorization server. The authorization server MAY provider tools to manage >> such complex clients through a single administration interface. >> == >> >> -- >> nov <n...@matake.jp> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
