Thanks for the review, Roman. I've made the changes as suggested. You can see the diff with the changes here: https://github.com/oauth-wg/oauth-browser-based-apps/pull/107/files
On Tue, Apr 22, 2025 at 7:27 AM Roman Danyliw via Datatracker < nore...@ietf.org> wrote: > Roman Danyliw has entered the following ballot position for > draft-ietf-oauth-browser-based-apps-24: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Thomas Fossati for the GENART review. Per his feedback, has > the > WG decided on whether to add this document to BCP212? > > ** Section 6.1.2.4. > The OAuth flow used by this application architecture can be combined > with OpenID Connect by including the necessary OpenID Connect scopes > in the authorization request (C). > > Is “OpenID Connect scopes” something can get a reference? > > ** Section 6.1.3.4. This section has a number of clauses prescribing > behavior > with a “SHOULD”, but doesn’t provide much context on when or why this > behavior > might need to be ignore. > > ** Section 7. > As a result, previous recommendations are often no longer recommended > and proposed solutions often fall short of meeting the expected > security requirements. > > Whose “recommendations” is this referencing? > > ** Section 7.2.3.4. Editorial. > It is relatively common to use third-party scripts in browser-based > applications, such as analytics tools, crash reporting, and even > things like a Facebook or Twitter "like" button > > Consider if the explicit reference to “Facebook or Twitter” will age well, > since “Twitter” doesn’t exist by that name anymore. Perhaps “social media > ‘like’ button” instead? > > > >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
