I recall making this point in Germany. 99% of existing use is fine. OIDC is probably the largest community that *might* have an issue.
I recall proposing a new security document that covers oauth security for dynamic scenarios. "Dynamic" being broadly defined to mean: * clients who have configured at runtime or install time (including clients that do discovery) * clients that communicate with more than one endpoint * clients that are deployed in large volume and may update frequently (more discussion of "public" cases) * clients that are script based (loaded into browser on the fly) * others? Phil > On Jan 25, 2016, at 10:39, George Fletcher <gffle...@aol.com> wrote: > > would _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
