Terminology problem: Don’t call client secrets keys
The draft currently says “OAuth defines an alternative method for clients to authenticate with symmetric client keys through the use of the client_id and client_secret parameter in the message request body.” The client secret isn’t a key, a key is something that locks something like a hash or encryption. The client secret is a secret or more properly it’s a bloody password. But whatever you call it, it isn’t a symmetric key so please don’t use that term.
This terminology problem also occurs in the sentence “Asymmetric client authentication allows the client to authenticate with the authorization server without sending its secret key.” The client isn’t sending a secret key – it’s sending a client secret.
Comments (6)
-
-
reporter This text occurs in Draft 06, Section 3.2.1 (Access Token Request).
-
- changed status to open
-
assigned issue to
-
re
#342Messages - Signing/Key cleanup. -
re
#342Messages - Signing/Key cleanup. -
- changed status to resolved
Fix
#342Messages - Signing/Key cleanup. - Log in to comment
Where? Spec Abbrev and Section number is mandatory in these comments.
Please indicate them.