Thanks for the update! https://tools.ietf.org/html/draft-ietf-oauth-security-topics-07#section-3.7.1.3
Audience restricted access token: In a multi-RS environment with aud-restricted token policy in place, how should the AS respond to an authZ request with scope values that belong to more than one RS? Vladimir On 24/08/18 12:57, Torsten Lodderstedt wrote: > Hi all, > > I just published a new revision of the OAuth Security BCP. > > Here is the list of changes: > * added section on access token privilege restriction based on comments from > Johan Peeters > * incorporated findings of Doug McDorman (e.g. domains used in examples) > * added section on HTTP status codes for redirects > > kind regards, > Torsten. > >> Am 24.08.2018 um 11:51 schrieb internet-dra...@ietf.org: >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the Web Authorization Protocol WG of the IETF. >> >> Title : OAuth 2.0 Security Best Current Practice >> Authors : Torsten Lodderstedt >> John Bradley >> Andrey Labunets >> Daniel Fett >> Filename : draft-ietf-oauth-security-topics-07.txt >> Pages : 33 >> Date : 2018-08-24 >> >> Abstract: >> This document describes best current security practices for OAuth >> 2.0. It updates and extends the OAuth 2.0 Security Threat Model to >> incorporate practical experiences gathered since OAuth 2.0 was >> published and covers new threats relevant due to the broader >> application of OAuth 2.0. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ >> >> There are also htmlized versions available at: >> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-07 >> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-07 >> >> A diff from the previous version is available at: >> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-07 >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
