Hi Rifaat, thank you for the shepherd's review.
Those are valid comments. We will have a second look on this paragraph. Best regards, Karsten On 04.09.2021 16:20, Rifaat Shekh-Yusef wrote:
Hi Karsten, Daniel,As the document shepherd, I have reviewed the document and I have the following comments on draft-ietf-oauth-iss-auth-resp-01 version:Section 2.4, paragraph 3, first sentence: "If clients interact with both authorization servers supporting this specification and authorization servers not supporting this specification, clients SHOULD store the information which authorization server supports the "iss" parameter." Why is this a SHOULD? "Clients MUST reject authorization responses without the "iss" parameter from authorization servers which do support the parameter according to the client's configuration." What should the client do when it receives a response with "iss" parameterfrom an authorization server that did not indicate its support for this parameter?Section 7 RFC6479 should be replaced with *RFC6749* Regards, Rifaat _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
-- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Is your OAuth or OpenID Connect application vulnerable to mix-up attacks? Find out more on our blog: https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth