Hi Rifaat,

thank you for the shepherd's review.

Those are valid comments. We will have a second look on this paragraph.

Best regards,
Karsten

On 04.09.2021 16:20, Rifaat Shekh-Yusef wrote:
Hi Karsten, Daniel,

As the document shepherd, I have reviewed the document and I have the following comments on draft-ietf-oauth-iss-auth-resp-01 version:


Section 2.4, paragraph 3, first sentence:

"If clients interact with both authorization servers supporting this
   specification and authorization servers not supporting this
   specification, clients SHOULD store the information which
   authorization server supports the "iss" parameter."

Why is this a SHOULD?


"Clients MUST
   reject authorization responses without the "iss" parameter from
   authorization servers which do support the parameter according to the
   client's configuration."

What should the client do when it receives a response with "iss" parameter
from an authorization server that did not indicate its support for this parameter?


Section 7

RFC6479 should be replaced with *RFC6749*


Regards,
  Rifaat

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--
Karsten Meyer zu Selhausen
Senior IT Security Consultant
Phone:  +49 (0)234 / 54456499
Web:    https://hackmanit.de | IT Security Consulting, Penetration Testing, 
Security Training

Is your OAuth or OpenID Connect application vulnerable to mix-up attacks? Find 
out more on our blog:
https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks

Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
Christian Mainka, Prof. Dr. Marcus Niemietz

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to