Thanks for the clarification. The subtle difference makes sense to
me, and indeed was what prompted me to address this list in the first
place.
It *is* subtle, though, and the oauth-v2-22 draft doesn't even hint at
it until six sections after a very clear "MUST" statement apparently
forbidding th
While Mike is working on a small update for draft-ietf-oauth-v2-bearer (to be
re-submitted soon) I have been compiling the document shepherd write-up.
This writeup will be attached to the draft when I send it to the IESG.
I thought I should share it with you just in case you have some additiona
Hi,
there is no contradiction. The subtle difference lays in the word "instance".
Using secrets for a software package (and all of its installations) is useless
and therefore not allowed. If you are able to issue a distinct id/secret pair
to every installation of your app, this is fine.
For a
