aaronpk
commented
3 years ago I actually can't find the source for this text, it doesn't appear in 6749 or the Security BCP
Closed aaronpk closed 2 years ago
aaronpk
commented
3 years ago I actually can't find the source for this text, it doesn't appear in 6749 or the Security BCP
tlodderstedt
commented
3 years ago my either - but it sounds reasonable. Let's add it.
dickhardt
commented
3 years ago agreed
ioggstream
commented
3 years ago @aaronpk this has been merged iiuc, but the spec does not define client_id previously so it is not clear to the reader what a client_id is.
aaronpk
commented
2 years ago This was apparently added between April and July 2020, but I don't remember why.
https://www.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-parecki-oauth-v2-1-03.txt
From Vittorio:
IMPORTANT: this is going to break many OAuth implementations with significant adoption. Auth0 is fine (each client_id is tied to a single client type) but I know of others that will break. I suggest softening to a SHOULD NOT.