date:20160301

Re: [OAUTH-WG] HTTP request signing and repeated query/header keys

2016-03-01 Thread Justin Richer

+1, this was a driving requirement when I wrote the first strawman. I can’t tell you the number of times I had frameworks mess things up with OAuth 1, which does exactly the algorithm that you mention below. I’m currently in favor of just leaving the repeated parameter and header out of the co

Re: [OAUTH-WG] OAuth 2.0 Discovery Location

2016-03-01 Thread George Fletcher

I'm fine with this clarification as it is more correctly describes the purpose of the document. Thanks, George On 2/29/16 5:34 PM, Brian Campbell wrote: +1 for "OAuth 2.0 Authorization Server Discovery” from those two options. But what about "OAuth 2.0 Authorization Server Metadata”? The doc

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

2016-03-01 Thread Vladimir Dzhuvinov

Inline > On 01/03/16 16:33, John Bradley wrote: > Inline > >> On Mar 1, 2016, at 5:51 AM, Vladimir Dzhuvinov >> wrote: >> >> Hi John, >> >> On 28/02/16 01:15, John Bradley wrote: >>> If the malicious client is registering it’s own redirect URI then option A >>> won’t help. >>> >>> On the other

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

2016-03-01 Thread John Bradley

Inline > On Mar 1, 2016, at 5:51 AM, Vladimir Dzhuvinov > wrote: > > Hi John, > > On 28/02/16 01:15, John Bradley wrote: >> If the malicious client is registering it’s own redirect URI then option A >> won’t help. >> >> On the other hand the Good AS should identify the malicious client to t

Re: [OAUTH-WG] OAuth 2.0 Discovery Location

2016-03-01 Thread Thomas Broyer

On Mon, Feb 29, 2016 at 11:35 PM Brian Campbell wrote: > +1 for "OAuth 2.0 Authorization Server Discovery” from those two options. > > But what about "OAuth 2.0 Authorization Server Metadata”? > > The document in its current scope (which I agree with, BTW) isn't really > about discovery so much a

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

2016-03-01 Thread Vladimir Dzhuvinov

Hi John, On 28/02/16 01:15, John Bradley wrote: > If the malicious client is registering it’s own redirect URI then option A > won’t help. > > On the other hand the Good AS should identify the malicious client to the > user. How could that be done in practice, especially with an AS that provid

Re: [OAUTH-WG] OAuth 2.0 Discovery Location

2016-03-01 Thread Vladimir Dzhuvinov

On 01/03/16 00:34, Brian Campbell wrote: > +1 for "OAuth 2.0 Authorization Server Discovery” from those two options. > > But what about "OAuth 2.0 Authorization Server Metadata”? > > The document in its current scope (which I agree with, BTW) isn't really > about discovery so much as about descri

Re: [OAUTH-WG] HTTP request signing and repeated query/header keys

Re: [OAUTH-WG] OAuth 2.0 Discovery Location

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Re: [OAUTH-WG] OAuth 2.0 Discovery Location

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Re: [OAUTH-WG] OAuth 2.0 Discovery Location

7 matches

Site Navigation

Mail list logo

Footer information