RFC 6749, "The OAuth 2.0 Authorization Framework", October 2012Source of RFC: oauth (sec)
Errata ID: 3780
Status: Held for Document Update
Reported By: Torsten Lodderstedt
Date Reported: 2013-11-04
Held for Document Update by: Kathleen Moriarty
Date Held: 2015-12-08
Section 3.2.1 says:
A client MAY use the "client_id" request parameter to identify itself when sending requests to the token endpoint.
It should say:
A public client MAY use the "client_id" request parameter to identify itself when sending requests to the token endpoint.
Note from AD: The provided link doesn't exactly demonstrate consensus, but the change makes sense, hence this is marked "Held for Document Update".
From Submitter: The current text may mislead confidential clients to sent their client_id in the request body in addition to their client_id and client_secret in the BASIC authz header. This leads to unnecessary duplication and ambiguities.
There has been consensus on the list that the intention of this sentence was to advise _public_ clients to identity themselves towards the token endpoint in order to mitigate substitution attacks and allow for logging. Confidential clients need to authenticate anyway, this sentence should be narrowed down to public clients only.
This issue was discovered in the course of the OpenID Connect Interop testings.