Francis, The backchannel-first pattern that you are discussing is one of the key components of TxAuth, which we are discussing on the txa...@ietf.org <mailto:txa...@ietf.org> mailing list, and I invite you to join the conversation there. I have a project to implement these ideas that’s documented at https://oauth.xyz/ <https://oauth.xyz/>, and it’s been submitted as a draft to what will hopefully become the TxAuth Working Group in the near future.
https://tools.ietf.org/html/draft-richer-transactional-authz <https://tools.ietf.org/html/draft-richer-transactional-authz> — Justin > On Apr 8, 2020, at 6:30 PM, Francis Pouatcha > <fpo=40adorsys...@dmarc.ietf.org> wrote: > > Hello Aaron, > As much as I would love to require that all authorization requests are > initiated via a back channel, that is unfortunately not something that is in > scope of the current OAuth 2.1 document. > > The OAuth 2.0 Security BCP and this document require strict redirect URI > matching, which should help simplify the AS, since simple string matching is > sufficient now. > Not sure it is a good idea to limit scope oAuth 2.1 on existing functionality > of oAuth 2.0 unless we are planning an oAuth 3.0 soon. > -- > Francis Pouatcha > Co-Founder and Technical Lead at adorys > https://adorsys-platform.de/solutions/ > <https://adorsys-platform.de/solutions/>_______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
