Hi,
you are right, PAR does not require the AS to represent the request as a
JWT-based request object. The URI is used as internal reference only. That why
the draft states
"There is no need to make the
authorization request data available to other parties via this
URI.”
This dif
I almost included text to that effect, but thought it was getting too wordy.
However your suggestion is simple and concise. +1
Given all of this discussion, we should include a section on request validation
in Security Considerations, to provide some context on what might be validated
when and
+1
On Wed, 8 Jan 2020 at 14:30, Nat Sakimura wrote:
> +1
>
> On Wed, Jan 8, 2020 at 8:53 AM Joseph Heenan wrote:
>
>> +1
>>
>> On 8 Jan 2020, at 03:31, Steinar Noem wrote:
>>
>> +1
>>
>> tir. 7. jan. 2020 kl. 17:53 skrev Torsten Lodderstedt > 40lodderstedt@dmarc.ietf.org <40lodderstedt
+1
On Wed, Jan 8, 2020 at 8:53 AM Joseph Heenan wrote:
> +1
>
> On 8 Jan 2020, at 03:31, Steinar Noem wrote:
>
> +1
>
> tir. 7. jan. 2020 kl. 17:53 skrev Torsten Lodderstedt 40lodderstedt@dmarc.ietf.org <40lodderstedt@dmarc.ietf..org>>:
>
>> +1
>>
>> > On 7. Jan 2020, at 17:25, Brian C
Hi Annabelle,
thanks for your proposal, which reads reasonable to me.
I suggest to extend “and that the request has not been modified in a way that
would affect the outcome of the omitted steps.” a bit to also consider policy
changes that may have occurred between push and authorization reque
On Wednesday, January 8, 2020, 2:59:06 PM GMT+7,
wrote:
You, or someone posing as you, has requested a password reminder for
your membership on the mailing list oauth@ietf.org. You will need
this password in order to change your membership options (e.g. do you
want regular delivery o
