Adam Roach has entered the following ballot position for draft-ietf-oauth-token-exchange-16: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks to everyone who worked on this document. I have a blocking issue that should be easy to resolve, and a handful of more minor issues. §2.1: > The client makes a token exchange request to the token endpoint with > an extension grant type by including the following parameters using > the "application/x-www-form-urlencoded" format This document needs a normative citation for this media type. My suggestion would be to cite REC-html5-20141028 section 4.10.22.6, as this appears to be the most recent stable description of how to encode this media type. I'd love to hear rationale behind other citations being more appropriate, since I'm not entirely happy with the one I suggest above (given that it's been superseded by HTML 5.2); but every other plausible citation I can find is even less palatable (with HTML 5.2 itself having the drawback of not actually defining how to encode the media type, instead pointing to an unstable, unversioned document). ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Abstract: > This specification defines a protocol for an HTTP- and JSON- based Nit: "...JSON-based..." --------------------------------------------------------------------------- §1.1: > impersonates principal B, then in so far as any entity receiving such Nit: "insofar" --------------------------------------------------------------------------- §2.1: > The client makes a token exchange request to the token endpoint with > an extension grant type by including the following parameters using > the "application/x-www-form-urlencoded" format with a character > encoding of UTF-8 in the HTTP request entity-body: I think there's an implication here that POST is used, but that probably needs to be made explicit. --------------------------------------------------------------------------- §2.2.1: > response using the "application/json" media type, as specified by > [RFC7159], and an HTTP 200 status code. The parameters are RFC 7159 has been replaced by RFC 8259. --------------------------------------------------------------------------- §3: > urn:ietf:params:oauth:token-type:refresh_token > Indicates that the token is an OAuth 2.0 refreshe token issued by nit: "refresh" _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth