+1 to Dick's suggestion -----Original Message----- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Dick Hardt Sent: Friday, June 29, 2012 11:14 AM To: John Bradley Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Report an authentication issue
On Jun 29, 2012, at 11:06 AM, John Bradley wrote: > It is nice to know that I may occasionally be correct:) You must be delighted when it happens! ;) > While you may assume that it is reasonable for a client with a code to make a > request to the token endpoint including it's client_id and the server to only > give out the access token if the client_id in the token request matches the > one in the original authorization request. However the spec specifically > doesn't require that. I think that is an error in the spec and should be changed, or text adding saying that the client_id SHOULD be checked. -- Dick _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
