From draft 23, section 10.3:
The client SHOULD request access tokens with the minimal scope and
lifetimenecessary. The authorization server SHOULD take the client
identity into
account when choosing how to honor the requested scope and lifetime, and
MAY issue an access token with a less rights
There is nothing explicit in draft 23 about requesting a scope lifetime. It
is as they say fuzzy.
You know that some people have used additional scopes like offline_access to
request longer lifetimes.
It may be reasonable to preconfigure something at the tAuthorization server
based on
From section 10.14: (draft 23)
The Authorization server and client MUST validate and sanitize any value
received, and in particular, the value of the state and redirect_uri
parameters.
Elsewhere in the spec the AS is instructed to exactly preserve the state
and to consider it an opaque
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol Working Group of
the IETF.
Title : OAuth 2.0 Threat Model and Security Considerations
Author(s) : Torsten Lodderstedt
Hi Tim,
I just submitted the revised version of the OAuth 2.0 security document
(http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-02). This
revision should address the issues you raised in your AppsDir review. We
especially removed all normative language from the document.
We took