Hi Nat, Hi John,
thanks for the work on this document. I have started my review and
wanted to post a few thoughts about the abstract and the introduction.
I have some wording suggestions for the abstract. Here is the current
abstract:
"
The authorization request in RFC6749 utilizes query para
Hello all,
I have a couple of comments/issues with the RFC at
https://tools.ietf.org/html/rfc7662.
According to Section 2.1 (Introspection Request) says that "To prevent
token scanning attacks, the endpoint MUST also require some form of
authorization to access this endpoint..." This might make s
Hi Michael,
Thanks for the comments. First off, the text of an RFC is fixed and cannot be
changed. The spec can only be altered with a new document that obsoletes
RFC7662, which would have to go through the working group process again from
the very beginning.
Authentication is required but we’
We had a debate on that MUST at the last IETF, but the spec was too far
along to change. The workaround is to treat the token you are introspecting
as the authentication. With that workaround, the spec is quite usable for
non-confidential clients, even if resource servers were the primary target.
At IETF94, a number of us got together to discuss the emerging event work that
is emerging in the Identity space:
* OIDF RISC
* OIDC Logout
* SCIM Notify Events
* OAuth Token Revocations
* Consent Events
The Id-Event discussion list is intended to begin discussion around developing
new IDs (and
