On Apr 5, 2020, at 12:42 PM, Aaron Parecki wrote:
> Aside from that, I'm struggling to understand what this section is actually
> saying to do. Since this is in the "Authorization Code Grant" section, is
> this saying that using response_type=code is fine as long as the client
> checks the "non
All,
You can find the slides for tomorrow's meeting at the following link:
https://datatracker.ietf.org/meeting/interim-2020-oauth-03/session/oauth
Regards,
Rifaat
On Thu, Apr 2, 2020 at 10:06 AM IESG Secretary
wrote:
> The Web Authorization Protocol (oauth) Working Group will hold
> a virtu
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : OAuth 2.0 for Browser-Based Apps
Authors : Aaron Parecki
David Waite
I believe the document would flow better if section 4.12 about Refresh
Tokens were moved into section 2. The Refresh Token section contains
descriptions of some pretty significant normative behavior, and I worry
that it will get lost in the long list of attacks and mitigations.
Section 2 starts wi
Section 2.1.1 says:
Clients MUST prevent injection (replay) of authorization codes into
>the authorization response by attackers. The use of PKCE [RFC7636]
>is RECOMMENDED to this end. The OpenID Connect "nonce" parameter and
>ID Token Claim [OpenID] MAY be used as well.
Minor n
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : OAuth 2.0 Security Best Current Practice
Authors : Torsten Lodderstedt
J
