[Openid-specs-ab] Breaking change in OAuth 2.0 rev. 23

Nat Sakimura sakimura at gmail.com
Wed Mar 14 11:30:43 UTC 2012

On 2012/03/14, at 7:27, John Bradley <ve7jtb at ve7jtb.com> wrote:

Yes I didn't see any discussion on that before the change.

It is unclear if you can define a new client type,  it is not a real

Perhaps it is enough to say that any client asking for code token is hybrid
and needs to be treated appropriately.  Though that section seems to make
having a separate client_id for each component mandatory.

Indeed, and that's the breaking point.

On 2012-03-14, at 7:02 AM, Nat Sakimura wrote:

I only noticed now that rev 23 had a breaking change. it seems to
doesn't allow the response_type=code token unless we define another client
type such as "hybrid".

This is a breaking change.

I wonder why I did not notice it till now.

See below.

>From section 2.1of

"A client application consisting of multiple components, each with its
own client type (e.g. a distributed client with both a confidential
server-based component and a public browser-based component), *MUST*
register each component separately as a different client to ensure
proper handling by the authorization server."


Nat Sakimura (=nat)
Chairman, OpenID Foundation

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120314/cefe6129/attachment.html>

More information about the Openid-specs-ab mailing list