Hi Brock,
there have been several attempts to start writing some guidance but so far we
haven’t gotten too far.
IMHO it would be great to have a document.
Ciao
Hannes
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brock Allen
Sent: 17 May 2018 14:57
To: oauth@ietf.org
Subject: [OAUTH-
This is an honest question: How important is the actor stuff to the
players involved? Are people going to use it? IMO, its an edge case
and I think more important areas, like external token exchange (realm
to realm, domain to domain) are being neglected. I'm quite unfamiliar
how consensus is rea
Moving the actor claim to a separate specification would only make things more
complicated for developers. There already plenty of OAuth specs. Needlessly
adding another one will only make related things harder to find.
Just like in the JWT [RFC 7519] spec itself in which use of all the claims
Much like updated guidance was provided with the "OAuth2 for native apps" RFC,
should there be one for "browser-based client-side JS apps"? I ask because
google is actively discouraging the use of implicit flow:
https://github.com/openid/AppAuth-JS/issues/59#issuecomment-389639290
>From what I
+1 to this.
Rob
On Thu, 17 May 2018 at 13:10, Bill Burke wrote:
> My personal opinion is that I'm glad this actor stuff is optional.
> For one, none of our users have asked for it and really only do simple
> exchanges. Secondly, the rules for who can exchange what for what is
> controlled and
My personal opinion is that I'm glad this actor stuff is optional.
For one, none of our users have asked for it and really only do simple
exchanges. Secondly, the rules for who can exchange what for what is
controlled and defined within our AS. Makes things a lot simpler on
the client. I kind of
