OAuth

In an open deployment, the self-signed certificate is sufficient because the trust is established through the registration of that certificate for that particular client. So it doesn't have to be a closed environment to facilitate it. It's just relying on a little bit of different trust model. And then you have to, things have to be set up such that your servers will accept any trust anchor. They basically are told to turn off validating the trust anchor. The OAuth layers on top of that and says, okay, great, you've proven possession of the key. Is that in fact the key that I'm supposed to get for this client? If so, authenticate good, if not authent