WGLC feedback from a Microsoft engineer using the device flow... From: ... Sent: Wednesday, November 29, 2017 9:16 AM To: Mike Jones <michael.jo...@microsoft.com> Cc: ... Subject: RE: [OAUTH-WG] WGLC for OAuth 2.0 Device Flow for Browserless and Input Constrained Devices
Hi Mike, I got some comments around the user_code and its expiration which are not clear in the specs. The user_code is not a one time use right? It seems to me that the user should be able to use the code more than once until the authorization is completed. Once the authorization is successful then the user_code should not be valid anymore. The spec isn't clear about what if the user_code expires while the client is going through the authorization flow? Again, in my mind, the user_code is valid until the authorization is successful and if it expires any time before that then we should not continue with the authorization and tell the user that the user_code has expired. And if the user finished authorization and the user_code expires BEFORE the token is redeemed, then the 'expired_token' response should be sent back from the token endpoint. Thanks, ... From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Rifaat Shekh-Yusef Sent: Monday, November 27, 2017 5:55 AM To: oauth <oauth@ietf.org<mailto:oauth@ietf.org>> Subject: [OAUTH-WG] WGLC for OAuth 2.0 Device Flow for Browserless and Input Constrained Devices All, As discussed in Singapore, we are starting a WGLC for the draft-ietf-oauth-device-flow-07 document, starting today and ending on December 11, 2017. https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ Please, review the document and provide feedback on the list. Regards, Rifaat & Hannes
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
