Since that is my comment referenced in the OpenID thread, I should clarify
that my intent was to have this language in the Security BCP with the
caveat that it's only applicable if your AS intends on supporting SPAs. In
other words, we're not saying all ASs SHOULD add CORS headers, only ASs
that in
I don't know the best language either but very much concur with the
sentiment.
On Wed, Mar 8, 2023 at 8:36 AM Aaron Parecki wrote:
> Since that is my comment referenced in the OpenID thread, I should clarify
> that my intent was to have this language in the Security BCP with the
> caveat that it
I would suggest SHOULD guidance for CORS for OAuth token endpoints and
authorization endpoints which are publicly accessible.
There are a lot of misconceptions about the security properties of CORS, and in
particular the security properties from disabling CORS for an otherwise safe
resource. To
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This Internet-Draft is a work item of the Web Authorization Protocol WG of the
IETF.
Title : OAuth 2.0 Demonstrating Proof-of-Possession at the
Application Layer (DPoP)
Authors : D
Hi Mark,
We've published https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-14.html,
which incorporates the PR. Could you please approve IANA registration of the
HTTP fields on that basis?
Thanks again for your help with the draft.
--
I thought we already had; if not, approved.
Cheers,
> On 9 Mar 2023, at 12:32 pm, Mike Jones
> wrote:
>
> Hi Mark,
> We’ve published
> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-14.html, which
> incorporates the PR. Could you please approve IANA registration of the HTTP
> fiel
