I'm not sure normative language even fits here. We need something like
"Authorization codes should be treated as sensitive and the client needs
to try to make sure it doesn't leak the authorization code." But more
formal and less garden pathy than I'm able to pen at the moment.
-- Justin
On 7/8/2011 2:39 PM, Eran Hammer-Lahav wrote:
"Authorization codes MUST be kept confidential"
How exactly? They are not confidential by nature, being received via
redirection in the URI query. I know what this sentence is trying to accomplish
but not sure how to do that with normative language. SHOULD doesn't really work
here either.
Suggestions?
EHL
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
