Hi Karsten,
Thanks for the write up. I would like to suggest the name
authorization_response_iss_parameter_supported, instead of
iss_parameter_supported. To make it explicit and unambiguous that it's
about the authZ response.
Vladimir
On 26/10/2020 16:33, Karsten Meyer zu Selhausen wrote:
>
> He
I'd suggest removing the "of an OAuth authorization grant" bit from the
abstract. The term 'authorization grant' has meaning from
https://tools.ietf.org/html/rfc6749?#section-1.3 that doesn't really work
there in the abstract.
On Mon, Oct 26, 2020 at 8:33 AM Karsten Meyer zu Selhausen <
karst
To capture my comment from the interim meeting call, I would like to see
some explicit text in this draft (as well as the Security BCP section that
will reference this draft) that clarifies this parameter is not needed and
this attack is not relevant if a client only interacts with one
authorizatio
