The treatment of client_id draft-ietf-oauth-assertions-01 seems a bit
inconsistent/problematic.
§4.1 & 4.2 say it's OPTIONAL.
§'s 6.1 and 6.2 have, "The client_id HTTP parameter SHOULD identify the
client to the authorization server" while 6.3 and 6.4 have, "The client_id
HTTP parameter MUST identify the client to the authorization server." Are
these intended to be the stronger than the optional in the 4.xs? Or to say
that it should/must identify the client, in the case that the parameter is
present?
I would suggest that all of those except the one in §4.1 be removed and
that the 4.1 one changed to say,
"client_id OPTIONAL. The client identifier as described in Section 2
of OAuth 2.0 [I-D.ietf.oauth-v2]. When present, the client_id MUST
(or SHOULD?) identify the client to the authorization server."
That would cover the client authentication cases and defer to the core spec
for authorization cases (thought it's not 100% clear, I think it says or
should say that it's optional in most cases).
I'm not sure if that meets the original intent though?
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
