I have reviewed draft-ietf-oauth-device-flow-07. Just one comment regarding Section 5.1:
Would it be possible to suggest some minimally acceptable entropy value? The text says "The user code SHOULD have enough entropy that when combined with rate limiting makes a brute-force attack infeasible", but just how much entropy is enough? A related question: the last call made me wonder if there are any plans to add a device flow for OpenID Connect. Does anyone know if such a thing is in the works? Scott _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
