On Fri, Aug 30, 2013 at 3:41 PM, Martin Ždila <m.zd...@mwaysolutions.com>wrote:
> Hello > > There are some unclear parts in OAuth 2.0 specification. > > *1.* In 4.3. (B) there is following statement: > > When making the request, the client > authenticates with the authorization server. > > > In 4.3.2 there is following statement: > > If the client type is confidential or the client was issued client > credentials (or assigned other authentication requirements), the > client MUST authenticate with the authorization server as described > in Section 3.2.1 <http://tools.ietf.org/html/rfc6749#section-3.2.1>. > > First statement states that client credentials must be always passed. > Second states that it is required only for certain client types. > > Also, if client type doesn't provide credentials, there is no mean to > identify it and so impossible to check if client credentials were actually > required. > I'm sorry the spec was not clear to you when you read it. Unfortunately, your question is not clear to me, so I don't know how to answer it. > > *2.* Authorization Code Grant and Implicit Grant use different URL part > to encode its response. Former uses query and later fragment. If request > has invalid or is missing response_type parameter then user agent should be > redirected to URL with error response where > error=unsupported_response_type. But if we don't know what type of grant we > are handling, where to put error parameters? To query or fragment part of > the URL? > > Please clarify that. > > The grant type is a parameter in the request, so the authorization server knows the request type from that and hence how to respond.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth