> Now, as to the spec change is concerned, I agree with John that it is not > required. > > However, a Best practice document would probably help the developers.
That's exactly what I had in mind -- no spec change, but something (or some things) to help guide developers into do the right thing, security-wise and user-experience-wise. Thanks, everyone, for discussing this. Barry _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth