> Am 29.08.2018 um 15:38 schrieb George Fletcher :
>
> Couldn't the AS issue a token where the audience restriction is a list? This
> is true of the id_token spec.
Sure, it could. That's certainly better than an unconstraint access token. But
the recommendation in the draft is to restrict tok
Couldn't the AS issue a token where the audience restriction is a list?
This is true of the id_token spec.
On 8/27/18 2:24 PM, Torsten Lodderstedt wrote:
Am 27.08..2018 um 11:32 schrieb Vladimir Dzhuvinov
mailto:vladi...@connect2id.com>>:
Thanks for the update!
https://tools.ietf.org/htm
> Am 27.08.2018 um 11:32 schrieb Vladimir Dzhuvinov :
>
> Thanks for the update!
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-07#section-3.7.1.3
>
> Audience restricted access token:
>
> In a multi-RS environment with aud-restricted token policy in place, how
> should the AS
Thanks for the update!
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-07#section-3.7.1.3
Audience restricted access token:
In a multi-RS environment with aud-restricted token policy in place, how
should the AS respond to an authZ request with scope values that belong
to more than o
Hi all,
I just published a new revision of the OAuth Security BCP.
Here is the list of changes:
* added section on access token privilege restriction based on comments from
Johan Peeters
* incorporated findings of Doug McDorman (e.g. domains used in examples)
* added section on HTTP status cod
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : OAuth 2.0 Security Best Current Practice
Authors : Torsten Lodderstedt
J
