Thanks Justin, a couple comments/questions are inline... On Thu, Apr 5, 2012 at 10:53 AM, Justin Richer <jric...@mitre.org> wrote: > > http://tools.ietf.org/html/draft-ietf-oauth-assertions-01 > > > Section 7's second portion about a client including multiple credentials > types seems buried down here in the Error Responses section for something > this fundamental.
Yeah, I can see that. Although the restriction on multiple client authentication methods is actually inherited from core OAuth (last sentence in http://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-2.3) so maybe there shouldn't even normative language about it in this doc? > It also conflates discussion of selection of this client > authorization type in here, where it ought to be in its own section, closer > to the top. I'm not sure I follow you here? As I re-read §7 I think it might make sense to break it into two pieces, one on grants and one on client auth. Maybe a 7.1 and a 7.2 or maybe subsections of §4, like a §4.1.1 for client authentication errors and §4.2.1 for authz/grant errors. But I don't think that was what your comment was about? Was your comment that this text should live somewhere else? "Token endpoints can differentiate between assertion based credentials and other client credential types by looking for the presence of the client_assertion and client_assertion_type attributes which will only be present when using assertions for client authentication." I wouldn't disagree with you there, if that was the case. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
