Hey Aaron / Emelia
I stumbled across
https://www.ietf.org/id/draft-parecki-oauth-client-id-metadata-document-00.html
(was any info posted to the list?)
I like the general concept. Questions:
1. If an AS supports both registered, and unregistered clients, is there
any guidance or requirements on
What puzzles me of talking about downgrade attacks in this context is between
what points in time you are anticipating that a downgrade might occur. The
Resource Server advertises its proposed authentication methods in a
WWW-Authenticate response. The client then chooses one of them, probably
> A fair question is whether allowing clients to choose from among
> supported authentication methods represents an opportunity for a
> downgrade attack.
> Since resource servers will only enumerate authentication methods
> acceptable to them, by definition,
> any choice made by the client from
