FYI. I have been noticing a substantial number of sites acting as OAuth
Clients using OAuth to authenticate users.
I know several of us have blogged on the issue over the past year so I won't
re-hash it here. In short, many of us recommended OIDC as the correct
methodology.
Never-the-less, I
Thanks for your answers.
I feel that there is not a clear solution my question/problem currently.
I don't think that throttling is out of the scope of OAuth 2.0.
If resource owner password credentials it is defined as a OAuth 2.0
mechanism, the expected behaviour when the access is blocked becau
Hi Santiago,
we use the "invalid_grant" error code in conjunction with further information
encoded into the error description (including lock out time) for such cases.
The example error description
"invalid username or password; account locked temporarily; 10 s"
tells the client that the user
JSON Object Signing and Encryption (JOSE) -14 drafts have been published that
incorporate minor updates requested by the working group since the last working
group call. The primary change was adding algorithm identifiers for AES
algorithms using 192 bit keys; supporting these algorithms is opt
