Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-07.txt

Thanks for the update! https://tools.ietf.org/html/draft-ietf-oauth-security-topics-07#section-3.7.1.3 Audience restricted access token: In a multi-RS environment with aud-restricted token policy in place, how should the AS respond to an authZ request with scope values that belong to more than o

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-07.txt

> Am 27.08.2018 um 11:32 schrieb Vladimir Dzhuvinov : > > Thanks for the update! > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-07#section-3.7.1.3 > > Audience restricted access token: > > In a multi-RS environment with aud-restricted token policy in place, how > should the AS

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-resource-indicators-00.txt: Error code on failure to parse resource URI

Sorry for the slow response Vladimir, It seemed worthwhile to have an error code that was more specific than "invalid_request" to convey back to the client that there was an issue with the value(s) it provided for the resource parameter - it's similar to "invalid_scope" from RFC 6749 in that regar

Re: [OAUTH-WG] Last Call: (OAuth 2.0 Token Exchange) to Proposed Standard

Hi Hans, Yes, I suppose it's somewhat implicit (although the Terminology section does say that the term "client" is used as defined by RFC 6749) but the intent is that the client in a token exchange is an OAuth client and