Seems to be similar to the intentions of: https://datatracker.ietf.org/doc/html/rfc8176 and/or https://openid.net/specs/openid-connect-modrna-authentication-1_0-06.html
-- -jim Jim Willeke On Wed, Jul 27, 2022 at 7:45 AM Jaimandeep Singh <jaimandeep.phdcs21= 40nfsu.ac...@dmarc.ietf.org> wrote: > Dear Aaron and esteemed members, > > 1. It was good to note that we are planning to simplify the definitions of > confidential and public clients in the new specs. However, my thoughts are > that instead of these definitions which are open to interpretation, we can > work on these two options: > > *Option I*: > 2. We can define the client applications in terms of trust assurance > levels. The trust assurance level will determine the ability of the > application to acquire delegated authorization rights (permitted scopes) > for a longer duration. > > (a) *Trust Assurance Level 0*. This is the minimum trust assurance level. > The application does not have means of mutual identification and > authentication. The delegated authorization rights would be restricted to a > minimum level of permissions (scopes). The lifespan of the delegated > authorization rights (in terms of access and refresh tokens) will be > minimal or for one time use only. > > (b) *Trust Assurance Level 1*. The applications have the means of > establishing mutual identification and authentication. The delegated > authorization rights (scopes) will be more permissive in nature. The > lifespan of the authorization rights (in terms of access and refresh > tokens) will be of a more persistent nature. > > *How Does this help?* > 3. We are moving from the less formal classification and interpretation of > client applications to a more robust definition based on the principles of > mutual identification and authentication. > > 4. It can additionally form the basis of DPoP. > > *Option II:* > 5. In the main meeting we discussed the possibility of moving towards a > uniform OAuth flow by converting public apps to confidential apps. We need > more discussions on the same. > > Regards and Best Wishes > Jaimandeep Singh > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth