> Finally, my last real concern (which is why I'm pushing back so much on code
>flow), is that this implies refresh tokens in the browser. My sense is that
>given the danger of this, the original OAuth2 RFC (via the implicit flow) was
>designed to limit the client's ability to obtain new access
Hello all --
I also have some thoughts/feedback on this document.
Personally I agree with some of the conclusions, but as it stands I think the
document's main conclusion that code flow is the real solution is not
sufficiently convincing.
I would like to see a brief summary of the current conc
Hi Hans, I hope it is acceptable to reply to your message on-list.
Others could correct me if I am wrong, but I believe the purpose of this
document is to recommend uses of other OAuth/OIDC specifications, not to
include its own technologies.
In terms of being another spec to be referenced, I t
Hi Torsten,
A few comments having just read this afresh:
2.1: 'Clients SHALL avoid’ - is that normatively different to ’SHOULD’ given it
appears to be permitted?
I find it a little hard to understand exactly what "avoid any redirects or
forwards which can be parameterized by URI query paramete
> Am 08.11.2018 um 22:59 schrieb David Waite :
>
> PCKE does not resolve any known code injection attacks for SPA public clients.
It can be utilized to detect code injection at the redirect between AS and
client. The PKCE verifier is bound to user agent that initiated the
corresponding request
Hi all,
the new revision incorporates the recommendation to use more secure grant types
instead of implicit we agreed to add during the WG session on Monday. It also
has more text around justifications for our recommendation. Especially, there
is a new section 3.6 on access token injection.
Thanks again for the review, Eric. The resolutions published in
https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-04 are as follows...
From: OAuth On Behalf Of Eric Rescorla
Sent: Monday, August 27, 2018 4:03 AM
To: oauth
Subject: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-bcp
Rich versi
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : OAuth 2.0 Security Best Current Practice
Authors : Torsten Lodderstedt
J
