Thanks for the review. We've just published draft 22 addressing this
feedback.
https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-22.html
Comments are inline:
> General: There are more than a couple of Normative references that are
pointing to 'living documents'. From my readi
Internet-Draft draft-ietf-oauth-browser-based-apps-22.txt is now available. It
is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF.
Title: OAuth 2.0 for Browser-Based Applications
Authors: Aaron Parecki
David Waite
Philippe De Ryck
Name:dr
Hi Watson, > My consideration here is just about the cost in bits. 1 bit status - easy, everyone gets the same thing, wanted it. 2 bit status - by only defining one of them in the application, we force any application with 2 defined statuses up to 4 bit status symbols. Feels like a waste. That is d
Hello Vladimir,
The problem with "insufficient_scope" is that it refers not to the abstract
scope, but to the concrete "scope" token claim. The "scope" claim might be
fine, but the token might lack the necessary RAR authorization_details. And
yes, there is currently no way for the RS to communicat
