@trwnh This is feedback from @rinsuki
Is it correct that client_secret is required in /oauth/authorize?QT: https://mstdn.rinsuki.net/@rinsuki/103365509034087580
@noellabo @rinsuki yes. otherwise, anyone could claim to be your client with only client_id.
@noellabo @rinsuki ah, i misread -- it is indeed a mistake. client_secret is secret and should not be provided to the user during /oauth/authorize. it has been fixed. thank you for bringing it to my attention!
@noellabo @rinsuki to be clear, client_secret is only needed when obtaining a token with /oauth/token
@noellabo @rinsuki or when revoking a token as well. it is not needed for obtaining an authorization code.
@trwnh @rinsuki I understand that. Thank you!
様々な目的に使える、日本の汎用マストドンサーバーです。安定した利用環境と、多数の独自機能を提供しています。
@noellabo @rinsuki yes. otherwise, anyone could claim to be your client with only client_id.