t, which I think is logical,
and if you don't have a secret, then you use `none`
— Emelia
> On 22 Apr 2025, at 12:05, Oliva Fernandez, Jorge
> wrote:
>
>
> Hi Emelia,
>
> Some time ago, I also came across this text: “The client MAY omit the
> parameter if th
HTTP Basic
> authentication scheme as defined in [RFC2617]
Does that imply HTTP Basic authentication can only be used with client password
(client_secret)?
It feels like it'd be good to get these properly specified somewhere, as the
original specification in RFC 6749
Hi,
You could perhaps use private_key_jwt from the OpenID specs:
https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
Yours,
Emelia
> On 3 Mar 2025, at 20:06, Srinivas Challa
> wrote:
>
> Hi,
> I am from Workday working on the OAuth feature. We current
//github.com/aaronpk/draft-parecki-oauth-client-id-metadata-document/pull/29
<https://github.com/aaronpk/draft-parecki-oauth-client-id-metadata-document/pull/29/files>
— Emelia
> On 27 Jun 2025, at 14:37, Justin Richer wrote:
>
> I like the idea of that if this goes forward. It
ng to registration data a property like maxAge or something too?
Yours
Emelia
> On 26. Jun 2025, at 23:12, Justin Richer wrote:
>
>
> I’ve been seeing a lot of recent conversations trying to work around the
> limitations of OAuth needing a client_id as part of the synta
(fairly common sizes I've seen)If you allow a user to select a client_id, then you should absolutely validate that that input isn't going to cause confusion with the other specifications implemented & that it won't cause security issues.Also, thanks for the early feedback Dick!Yours,
namic client registration)
> Thanks for this work Emelia! Will you be in Vancouver IETF?
Unfortunately I won't be in Vancouver for it, but do intend to attend remotely
where possible. (I'm an independent developer, so don't typically have budget
for travel)
Yours,
Emelia Smith
On 8. Jul 2024, at 21:17, Dick Hardt wrote:On Mon, Jul 8, 2024 at 11:33 AM Emelia S. <eme...@brandedcode.com> wrote:I would suggest that if an AS were to implement to competing specifications for what a client_id means, then it'd be up to the implementor to decide what is used when. E.
Hi Neil, I mentioned in the zulip chat that I rather like the idea of using protocol names as scopes, but that maybe you'd want them to be finer grained.On second pass, I'm wondering if it'd make sense to expose a list of supported resources & protocols for the authorization server, not just relyin
org/rfc/rfc6749.html#appendix-A.5
Is there anything I've missed here?
Yours,
Emelia
___
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
10 matches
Mail list logo
