Brian *grant type* Thanks for the grant type pointers.
*client_id* The reciprocal flow by its nature is part of a code_grant flow, and I expect that party A and party B can be reversed. Given that, it is unclear why client_id would not be required. Would you elaborate? *response* Agree a response should be defined. 200 if ok, 400 if invalid. Any reason for doing more? /Dick On Tue, Jan 16, 2018 at 9:27 AM, Brian Campbell <bcampb...@pingidentity.com> wrote: > A few thoughts on the new draft and/or reiterating comments from the call > earlier. > > "[DH: should this be a URI?]" - yes, the grant type should be a URI > because, for better or worse, that's how OAuth allows for new grants > https://tools.ietf.org/html/rfc6749#section-4.5 (the device flow and JWT > authorization grant are examples that can be followed > https://tools.ietf.org/html/draft-ietf-oauth-device-flow-07#section-3.4 > https://tools.ietf.org/html/rfc7523#section-2.1). > > I don't believe client_id should be required in 2.2. Sending/requiring > client_id or not at the token endpoint depends on the form of client > authentication that's taking place. That's how it works with the grants in > RFC6749 and other extension grants. This draft should be consistent with > all that. > > I do think some discussion or description of what the response will/should > look like is needed. Things are kinda reversed in this flow with party A > 'pushing' the authorization code it generated up to party B's authorization > server. It's not clear (to me anyway) how party B's AS should respond and > if/how it would be consistent with a typical token endpoint response. Maybe > echo back the access token that was just sent in? But I dunno. > > The example needs some attention (grant type value is old, the basic authn > header probably isn't legal, maybe more). > > > On Tue, Jan 16, 2018 at 7:46 AM, Hannes Tschofenig < > hannes.tschofe...@gmx.net> wrote: > >> Hi Dick, >> >> maybe you can re-submit the document with a new filename that matches >> the updated title. >> >> Ciao >> Hannes >> >> >> On 01/16/2018 03:39 PM, Dick Hardt wrote: >> > I have made changes based on feedback on the call this morning. Updated >> > version at: >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth