I've published an -04. It has that very minor change. There was also an
off-list discussion during WGLC that resulted in thinking it'd be
worthwhile to add a reminder that access tokens are opaque to clients. So I
took that as LC feedback and -04 adds a brief note towards that end.
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : OAuth 2.0 Step-up Authentication Challenge Protocol
Authors : Vittorio Bertocci
Thanks Dima for the comment. Some thoughts:
> (editorial)...
Good point. "statically" would characterize the simplest of the scenarios,
but in fact any case where the AS is the only arbiter of the authn level
works for the point we are trying to make. We'll drop "statically". Thanks!
> Apart
Hi Pieter,
thank you for your clarification and support! :)
Cheers
V.
On Mon, Oct 10, 2022 at 7:52 AM Pieter Kasselman wrote:
> *This message originated outside your organization.*
>
> --
>
> I want to clarify that I don’t see any blockers to using the step-up auth
>
Hi Dima,
A published RFC cannot be extended to specify new things, only have
errata added it. The OAuth 2.1 spec is still a draft in the works.
What do you think is a suitable default value for a
code_challenge_method client reg parameter?
From the perspective of an OAuth 2.0 deployment it
I want to clarify that I don't see any blockers to using the step-up auth
proposal from working with fine-grained policies.
The comment and question was more to outline use cases being evaluated and to
see whether others are observing this shift as well.
Cheers
Pieter
From: OAuth On Behalf
