Peter Cimring
Thanks, Aaron
There’s one point that confuses me:
To fetch the Access Token, the OAuth spec implies (or seems to imply) that it’s sufficient to pass a client id (without a client secret) - see: https://tools.ietf.org/html…
However, in practice, Authorization Servers seem to require both the client id and the client secret - as you mentioned in the above article.
Have I missed something? (Or is this what the spec means by the “client type” being “confidential”?)
Thanks!