The treatment of client_id draft-ietf-oauth-assertions-01 seems a bit inconsistent/problematic.
§4.1 & 4.2 say it's OPTIONAL. §'s 6.1 and 6.2 have, "The client_id HTTP parameter SHOULD identify the client to the authorization server" while 6.3 and 6.4 have, "The client_id HTTP parameter MUST identify the client to the authorization server." Are these intended to be the stronger than the optional in the 4.xs? Or to say that it should/must identify the client, in the case that the parameter is present? I would suggest that all of those except the one in §4.1 be removed and that the 4.1 one changed to say, "client_id OPTIONAL. The client identifier as described in Section 2 of OAuth 2.0 [I-D.ietf.oauth-v2]. When present, the client_id MUST (or SHOULD?) identify the client to the authorization server." That would cover the client authentication cases and defer to the core spec for authorization cases (thought it's not 100% clear, I think it says or should say that it's optional in most cases). I'm not sure if that meets the original intent though?
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth