Vittorio, Brian,
The following is my document shepherd review for the step-up
authentication document:
https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-06.html
*Comments*
* Section 4, first sentence:
You might have a reason for using MAY, instead of SHOULD, but it is not
obvious to me. Can you add some text to explain the reason for this?
* Section 5
“when it comes to access tokens in this specification it is RECOMMENDED
that the requested acr value is treated as required”
Not sure why this sentence started in such a way. Why not just explicitly
use MUST to make sure that the acr value is included in the access token?
* Section 9, last sentence
I think we need to have a stronger statement here and not leave it wide
open like this.
Maybe state that the resource server SHOULD NOT return a challenge if the
request did not include a valid token?
*Nits*
Section 2 - “not be necessarily hold true” -> drop the “be”
Section 5 - Thee - > The
Section 8 - any undesirable -> an undesirable
Section 9 - {#Challenge} -> fix the reference
Regards,
Rifaat
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
