Another omission[1] (maybe, I believe it is anyway) to the Device Flow is
that client authentication isn't defined for the device authorization
request to device authorization endpoint.

I suspect that it's largely an oversight because public clients are really
the conical use-case for the device flow and no authentication is needed or
possible in that case. There are, however, likely to be cases where a
client with credentials will do the device flow and it would be good for
the AS to be able to properly authenticate such clients before setting up
and saving the state for the transaction. Having normal client
authentication at device authorization endpoint also brings better
consistency to client identification/authentication for requests made
directly from client to AS.


[1] error responses from the device authorization endpoint should probably
also be defined
https://mailarchive.ietf.org/arch/msg/oauth/DMTUR1msdNQPiLh0xVXe39933k4

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to