search

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
https://oauth.net/2.1/
Other
53 stars 27 forks source link

Clarify when `client_id` is required to be sent to the token endpoint #24

Closed aaronpk closed 3 years ago

aaronpk commented 4 years ago

There is currently some inconsistency in implementations about whether client_id is a required parameter at the token endpoint. Some grants make it clear when it's required, but for example the refresh token grant does not mention it. We should clarify when it's required, and keep in mind existing deployments that may require it already for refresh token grants.

Historical note: This confusion between implementations is likely due to the fact that client_id was explicitly a required parameter in draft 10: https://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4

aaronpk commented 3 years ago

This has been cleared up in the refactoring from #78