Hi Eran,
Am 25.07.2011 03:28, schrieb Eran Hammer-Lahav:
-----Original Message-----
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
Of Torsten Lodderstedt
Sent: Wednesday, July 20, 2011 2:15 PM
"The authorization server redirects the user-agent to the
client's redirection URI previously established with the
authorization server during the client registration process."
Conflicts with section 3.1.2.3, which allows to pass a redirect_uri via URI
query parameter.
Added 'or when initiating the authorization request'
3.1.2.1 Endpoint Confidentiality
What does "endpoint" confidentiality mean? Which endpoint does this text
refer to? The client's redirect_uri endpoint?
This is a sub-section of the Redirection URI endpoint.
ok, but how can an endpoint be confidential?
3.1.2.5. Endpoint Content
As this section discusses security aspects of the client's implementation of
the redirect_uri page, shouldn't this go to the security considerations
section?
I think it is important enough to appear earlier. It is part of my effort to
integrate concrete normative language from the security sections up to the
protocol sections.
Understood and in support for this approach. Wouldn't this mean to
remove some text from section 10 in order to prevent redundancies?
Regarding this particular section: I think the two different issues
(transport security and endpoint authenticity) should be presented
separately.
regards,
Torsten.
EHL
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
