Good notes. Please apply the following fixes to them...
To the list of new OAuth RFCs since the last meeting please also add:
draft-ietf-oauth-json-web-token
draft-ietf-oauth-saml2-bearer
draft-ietf-oauth-jwt-bearer
Please change:
Mike: If the access_token is used
hi,
let me give you an example of what is my concern.
I admit this example is a bit extreme but still
As said one popular redirect_uri used by mobile app is http://localhost.
Let’s also say a resource owner use this mobile app the first time and approve
the consent screen and so forth….
It also
Antonio, are you arguing for short token lifetimes and so frequent
explicit consent ? or something more
if the app has a valid refresh token then there is no opportunity for
the AS to inject a consent screen
paul
On 7/24/15 3:00 AM, Antonio Sanso wrote:
hi,
nice to see some work on this to
Right, SHOULD NOT is fine. I am just asking not to make it a MUST NOT.
2015-07-24 17:47 GMT+09:00 Brian Campbell :
> PCKE prevents a bad app from using the code when there's a collision in
> the custom scheme used for the redirect URI. However the same app could
> immediately issue a new authoriz
PCKE prevents a bad app from using the code when there's a collision in the
custom scheme used for the redirect URI. However the same app could
immediately issue a new authorization request with it's own PCKE parameters
and (mostly) transparently get back a code that it can use. Having some
user in
Prompting is not necessarily is a good thing.
It is very context specific, so please do not make it required.
Nat
2015-07-24 16:38 GMT+09:00 John Bradley :
> Hi Antonio,
>
> Thanks for the feedback.
>
> I agree that for non confidential clients, the user needs to be prompted.
> It might be fai
Hi Antonio,
Thanks for the feedback.
I agree that for non confidential clients, the user needs to be prompted. It
might be fair to just confirm the grants rather than resetting them from
defaults.
I know some people are doing that, but I suspect that not everyone is.
Good stuff.
People sho
hi,
nice to see some work on this topic by the way!
Couple of comments below inline
On Jul 24, 2015, at 7:51 AM, John Bradley
mailto:ve7...@ve7jtb.com>> wrote:
Thanks for the review Erik,
We will go through it in detail and get back to you.
I am working with a couple of governments on how a
