There's a chance that my slides won't be through my internal review process prior to the start of our WG session in Prague. That being the case, I wanted to tee up what I have on my list for discussion topics:
Ongoing policy development in the ICANN context in particular. What happens here can have a direct impact on needed claims. Non-browser clients: is the OAuth device flow needed? Are the currently specified path segments "correct"? Are more needed? Should custom claims returned in an ID token or via the UserInfo endpoint? OpenID Connect allows for both possibilities. I think I need to change the way the draft describes sending tokens. It currently does this: ..../domain/example.com?id_token=eyJ0...EjXk&access_token=eyJ0...NiJ9 It should probably do this instead: ..../domain/example.com?id_token=eyJ0...EjXk along with an HTTP header (Authorization: Bearer <access_token>) Scott _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
