[Openid-specs-ab] client secret
ve7jtb at ve7jtb.com
Thu Oct 13 18:33:47 UTC 2011
In Messages Sec 3.2
We have extended the request for an access token to include a secret_type parameter.
This indicates if client_secret is a JWT or shared secret.
Oauth 2.0 Sec 2.3.2 states that the authentication method is established for the client at registration, and the token endpoint uses the registered method for the client identifier.
Should we change this to be consistent with the OAuth 2.0 spec? (I suspect so)
It is potentially a breaking change for some implementations so it should be discussed.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4767 bytes
Desc: not available
More information about the Openid-specs-ab