Good questions! Answers inline:
> On 12 Dec 2020, at 10:07, Torsten Lodderstedt wrote:
>
> Thanks for sharing, Neil!
>
> I‘ve got some questions:
> Note: I assume the tokens you are referring in your article are OAuth access
> tokens.
No, probably not. Just auth tokens more generically.
>
Thanks as lot Vittorio! You gave us a lot of homework but I think the draft
will be improved a lot based on it.
Re OIDC implicit: I‘m reluctant to explicitly endorse use of OIDC implicit
(response type „id_token“ or „code id_token“) as there are examples in the wild
where the id_token is used
Thanks for sharing, Neil!
I‘ve got some questions:
Note: I assume the tokens you are referring in your article are OAuth access
tokens.
- carrying tokens in URLs wie considered bad practice by the Security BCP and
OAuth 2.1 due to leakage via referrer headers and so on. Why isn’t this an
issue
If the current DPoP has code complexity "X", the relative additional
complexity to include access token hashes doesn't seem like very much.
An app choosing DPoP means accepting the code complexity that comes with
dealing with keys, composing the signing inputs for the proofs, signing,
the