Re: Limitations of the OAuth 2.0 definition of “Client”
Thomas Hardjono has a very good blog entry <<Limitations of the OAuth 2.0 definition of “Client”>>.
The essence of the entry is that, the definition of “client” in OAuth 2.0 (RFC6749) is too limiting and does not fit with many current use of the specification.
Here is the definition:
An application making protected resource requests on behalf of the resource owner and with its authorization.
This excludes many useful cases. The client simply may not be acting on behalf of the resource owner, even though it may be doing something good for the resource owner.
The UMA (draft-06) definition of the “client” is much better:
An application making protected resource requests with the resource owner’s authorization and on the requesting party’s behalf.
Note that the “requesting party” is a defined term:
An end-user, or a corporation or other legal person, that uses a client to seek access to a protected resource. The requesting party may or may not be the same party as the resource owner.
and also that “resource owner” is a defined term, and does not have to “own” the resource:
An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end- user.