" don't use the Implicit or Resource Owner Password Credentials grant
types"
I cannot overstate how strongly I would support this recommendation in
particular!
Best regards
Rob
On Tue, 19 Nov 2019 at 10:07, Hans Zandbelt
wrote:
> How about:
>
> - don't use the Implicit or Resource Owner Pass
Oh, I see where you are heading. We potentially can cut some bells and whistles
out of the current text.
> Am 19.11.2019 um 18:06 schrieb Hans Zandbelt :
>
>
> How about:
>
> - don't use the Implicit or Resource Owner Password Credentials grant types
> - perform exact matching of redirect UR
How about:
- don't use the Implicit or Resource Owner Password Credentials grant types
- perform exact matching of redirect URIs and make then Client/AS specific
- use PKCE
Hans.
On Tue, Nov 19, 2019 at 5:58 PM Torsten Lodderstedt
wrote:
>
>
> > On 19. Nov 2019, at 17:10, Hans Zandbelt
> wro
> On 19. Nov 2019, at 17:10, Hans Zandbelt wrote:
>
>
>
> On Tue, Nov 19, 2019 at 10:38 AM Torsten Lodderstedt
> wrote:
> Hi Hans,
>
> > On 18. Nov 2019, at 04:11, Hans Zandbelt wrote:
> >
> > Hi,
> >
> > Please find my feedback from page 21 onwards below.
> >
> > Hans.
> >
> > Overa
On Tue, Nov 19, 2019 at 10:38 AM Torsten Lodderstedt <
tors...@lodderstedt.net> wrote:
> Hi Hans,
>
> > On 18. Nov 2019, at 04:11, Hans Zandbelt
> wrote:
> >
> > Hi,
> >
> > Please find my feedback from page 21 onwards below.
> >
> > Hans.
> >
> > Overall I would argue there's room for a very con
Hi Hans,
> On 18. Nov 2019, at 04:11, Hans Zandbelt wrote:
>
> Hi,
>
> Please find my feedback from page 21 onwards below.
>
> Hans.
>
> Overall I would argue there's room for a very concise guidance section that
> says: do this, don't do that, without explanation, just as a reference for
