Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)

+1 On Thu, Oct 23, 2014 at 10:58 AM, Nat Sakimura wrote: > I second John's message. There are many ways to achieve a desired level of > security and one of the most popular way is to delegate it to the transport > layer and use 'none' as the alg. If 'none' becomes non-MTI, then it may > cause a

[OAUTH-WG] Getting the authorization code - Native Applications

I've read the latest spec and some of the discussions around the user-agent flow and native apps. I've read about the different options to get the authz code (copy-paste, polling the title of the window, custom scheme, etc). I might be missing something but my question is: why can't we send a nonc