[OAUTH-WG] WGLC on draft-ietf-oauth-v2-bearer-03.txt

This is a Last Call for comments on http://www.ietf.org/id/draft-ietf-oauth-v2-bearer-03.txt Please have your comments in no later than March 25 (extended deadline because of the ongoing OAuth base specification WGLC). Do remember to send a note in if you have read the document and have no

[OAUTH-WG] slightly alternative preamble (was: Re: Draft -12 feedback deadline)

I propose that the or native applications text be dropped from the first paragraph in section 4.2 Implicit Grant [1]. There is clearly some disagreement about what is most appropriate for mobile/native applications and many, including myself, don't feel that the implicit grant works well to

[OAUTH-WG] RFC5849 - Purpose of Temporary Credentials Shared Secret?

Hello! Can some kind soul help me understand the purpose of the shared secret part of the Temporary Credentials in RFC5849? - The client authenticates using the Cient Credentials, and gets the Temporary Credentials. - The Resource Owner gives their authorization. - The Temporary Credentials

Re: [OAUTH-WG] RFC5849 - Purpose of Temporary Credentials Shared Secret?

Oops, just noticed a typo in my previous message, I meant: The part that's puzzling me is the RFC says the client authenticates using *both* the Client Credentials and the _Temporary_ Credentials in the Token Credentials Request. I could understand one or the other, but why both? (and

Re: [OAUTH-WG] RFC5849 - Purpose of Temporary Credentials Shared Secret?

Thanks for the quick response! Can I ask a more specific question: What's the security purpose of the Temporary Credentials shared secret? If an implementation were to, say, always use an empty string, would it make any difference to the security of the protocol? - Craig. -Original

Re: [OAUTH-WG] validate authorization code in draft 12

I agree with Tosten. A healthy client is not expected to issue an access token request unconditionally when receiving an authorization code at its redirect_uri. The client should do so only if it is in the right state with a correlatable authorization request pending. Best regards, Huilan LU

Re: [OAUTH-WG] RFC5849 - Purpose of Temporary Credentials Shared Secret?

It limits the ability to exchange the token in cases where the client has no private secret, or if the client has multiple instances using the same credentials (providing an isolation between them). You need to make your own security analysis of the protocol and your needs. EHL From:

[OAUTH-WG] Comments on draft-ietf-oauth-v2-bearer-03

Comments on the bearer token spec: 1. There is a whole lot of text about OAuth2 get-a-token parts that isn't necessary in the bearer token spec. A bit of context can be useful to a reader, but in this case it brings too much of the complexity of the get-a-token flows into what should be a