Hi Karsten, Daniel, As the document shepherd, I have reviewed the document and I have the following comments on draft-ietf-oauth-iss-auth-resp-01 version:
Section 2.4, paragraph 3, first sentence: "If clients interact with both authorization servers supporting this specification and authorization servers not supporting this specification, clients SHOULD store the information which authorization server supports the "iss" parameter." Why is this a SHOULD? "Clients MUST reject authorization responses without the "iss" parameter from authorization servers which do support the parameter according to the client's configuration." What should the client do when it receives a response with "iss" parameter from an authorization server that did not indicate its support for this parameter? Section 7 RFC6479 should be replaced with *RFC6749* Regards, Rifaat
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
