Draft looks good - readability is up considerably from previous drafts.
Getting pretty close IMO
Comments:
1) I'd vote for dropping the following from 1.4.2. In turn I'd discuss some
of the security considerations, such as difficulty of protecting a
client_secret in almost all use-cases of this profile.
"Implicit grants improve the responsiveness and efficiency of some
clients (such as a client implemented as an in-browser application)
since it reduces the number of round trips required to obtain an
access token."
2) Section 2.1, we should MUST TLS even for Authorization Code.
3) Section 4.1.3 - not clear to me why redirect_uri is REQUIRED since in 4.1.1
it's "REQUIRED unless"
4) Section 4.2.2 - when did we drop refresh_token? I assume this goes back
to disagreement on how best to handle native clients. I'd prefer it to simply
reference 5.1 and leave what is issued up to the security profile of the
particular deployment as to what is issued.
...and of course section 9.
-cmort
On 3/1/11 11:32 PM, "Hannes Tschofenig" <[email protected]> wrote:
This is a Last Call for comments on
http://www.ietf.org/id/draft-ietf-oauth-v2-13.txt
Please have your comments in no later than March 16.
Do remember to send a note in if you have read the document and have no
other comments other than "its ready to go" - we need those as much as we need
"I found a problem".
Thanks!
Hannes & Blaine
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
