Lots of minor grammar and wording catches here. I apologize if any of these were already brought up and addressed.
1.2.3, second paragraph: "When issuing an implicit grant, the authorization server does not authenticate the client and in some cases, the client identity can be verified..." should be "When issuing an implicit grant, the authorization server does not authenticate the client. In some cases, the client identity can be verified..." 1.5, first paragraph. Last sentence should be changed to "Issuing a refresh token is optional. If an authorization server issues a refresh token, it is included when issuing an access token." 2.1, definition of public client: last sentence ends with "via any other mean" which should be "via any other means". 2.1, definition of native applications: "On the other hand, dynamically issued credentials such as access tokens or refresh tokens, can receive an acceptable level of protection" should be "On the other hand, dynamically issued credentials such as access tokens or refresh tokens can receive an acceptable level of protection" (final comma is unnecessary). 3.1, second paragraph. Add a comma after "beyond the scope of this specification", so it reads "The means through which the client obtains the location of the authorization endpoint are beyond the scope of this specification, but the location is typically provided in the service documentation". 3.2.1, first sentence. Unnecessary comma between "requirements" and "MUST"; should read "Confidential clients, clients issued client credentials, or clients assigned other authentication requirements MUST authenticate..." 4.1, section (E): last sentence is missing a subject. "If valid, responds back with an..." should read "If valid, the authorization server responds back with an..." 4.1.2 and 4.1.2.1, also 4.2.2 and 4.2.2.1, state description: last sentence is missing a MUST. Should read "REQUIRED if the state parameter was present in the client authorization request. The state parameter MUST be set to the exact value received from the client." 4.1.3, redirect_uri description: Change "REQUIRED, if the redirect_uri parameter was included in the authorization request described in Section 4.1.1, and their values MUST be identical" to "REQUIRED, if the redirect_uri parameter was included in the authorization request as described in Section 4.1.1. If included, the two values MUST be identical". 4.1.3, final paragraph ("The authorization server MUST: ..."). Is any additional normative language required for lists such as this in order to specify that the AS must do ALL of the items in the list? Similar MUST lists appear elsewhere throughout the rest of the document. Also, final bullet should be reworded; suggest "ensure that the redirect_uri parameter is present if the redirect_uri parameter was included in the initial authorization request as described in Section 4.1.1, and if included ensure that their values are identical". 4.2, first paragraph: clarify that implicit grants can be used only for access tokens by including the word "only" here: "The implicit grant type is used to obtain access tokens only..." 4.3.2, paragraph after term parameter descriptions: "If the client type is confidential or was issued client credentials" should be reworded to "If the client type is confidential or the client was issued client credentials". 9, bullets following second paragraph: Change this to a definition list format instead of a bulleted list. 9, final bullet following "when choosing between an external or embedded user-agent...": Last sentence starts "Embedded user-agent educate..." but should be "Embedded user-agents educate..." 10.2, second paragraph: last sentence is a fragment. Reword to "For example, the authorization server should engage the resource owner to assist in identify the client and its origin." 10.5, second paragraph, first sentence: extraneous comma between "authorization server" and "is". Should be "...verify that the resource owner who granted authorization at the authorization server is the same resource owner..." 10.6, last paragraph, first sentence: extraneous comma between "authorization code" and "is the same". Should be "... the authorization server MUST ensure that the redirection URI used to obtain the authorization code is the same as the redirection URI provided ..." Last sentence should be reworded; suggest "The authorization server MUST require public clients and SHOULD require confidential clients to register their redirection URIs. If a redirection URI is provided in the authorization request, the authorization server MUST validate the URI received against the registered value." 10.14, first sentence. Reads awkwardly and should be reworded; suggest "A code injection attack occurs when an unsanitized input or otherwise external variable is used to modify application logic." 11.1, 11.2, 11.3, 11.4: second to last paragraph is missing "(s)" on the end of "Designated Expert" : "Decisions (or lack thereof) made by the Designated Expert can be..." should be "Decisions (or lack thereof) made by the Designated Expert(s) can be..." 11.2, second paragraph has extraneous comma after "or the token endpoint response" : "...the token endpoint request, or the token endpoint response, are registered" should be "...the token endpoint request, or the token endpoint response are registered". 11.2.1, "Parameter usage location" description should have references to the relevant sections of this spec, as 11.4.1 does. --Amanda Anganes The MITRE Corporation
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth