I guess it is fair to say that when we are talking about credentialed
clients, we are targeting native apps that after getting installed use a
ceremony (probably using Dynamic client registration) to establish a
credential for that specific instance on AS. Do you foresee other use cases?
Back to Da
"This draft is actually significantly simpler than DPoP precisely because
it is not defining an HTTP signing mechanism. "
that is my understanding as well, but I was afraid to start a flame war :D
On Fri, Oct 8, 2021 at 4:23 PM Justin Richer wrote:
> Hi Mike,
>
> One of the major benefits of thi
Hi Ash,
my understanding of a errata is when there is something technically wrong
with the document.
Your point is clear: requiring the client id on the revocation endpoint for
public clients does not protect the endpoint is valid.
You might say that is a point less to require it and might cause p
Hi All,
I think those are valid points, but they can be better addressed on
identity management forums like idsa or idpro.
https://www.idsalliance.org/
https://idpro.org/
On Mon, Aug 9, 2021 at 5:55 PM Warren Parad wrote:
> I definitely see that there is room for a potential attack depending
