My preference would be that if a request object is used, all parameters
must go in there
a) makes the AS implementation easier
b) there is really no point (IMO) to have a mixture of signed and unsigned
parameters
c) certain parameters should go into the RO - e.g. the code_challenge to
prevent the
I also slightly prefer the merge approach.
There are plusses and minuses to both.
Changing again now that it is past ISEG review and backing out a Discuss
will add another three to six months at this point, if we can get them to
agree to the change.
John B.
On Tue, Dec 10, 2019, 11:29 PM Nat Sa
I Like it
--
Anggi Makmur
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
