"Authorization codes MUST be kept confidential" How exactly? They are not confidential by nature, being received via redirection in the URI query. I know what this sentence is trying to accomplish but not sure how to do that with normative language. SHOULD doesn't really work here either.
Suggestions? EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
