Latest is always at: http://github.com/theRazorBlade/draft-ietf-oauth
(xml is always up to date. txt and html when I can. Atom feed available) --- I finished going over sections 1-4 which includes the overview, flows, and refresh method. Next is using tokens. By finished I mean those sections are ready to be submitted as a working group draft -00. Unfortunately I am unable (or unwilling) to go back and review comments made to sections I previously ignored. Please review sections 1-4 again and submit any changes needed for a -00 draft. This means focus on critical changes that should be made before the document is considered a starting point for the working group. Open issues: * token size limit * restriction on values characters * specificity of the assertion flow * parameter name prefix * single authorization endpoint * inclusion of both user-agent flow and native application flow * requiring HTTPS for bearer token protected resource requests * username parameter proposal * scope parameter * adding refresh token as optional in all access token requests * limiting signed requests to use the auth header (no query / form body) Once we approve this as -00 I plan to post a weekly draft based on the feedback received and approved by the group. I will no longer make changes to the draft (after -00) without working group consensus. Please (PLEASE) don't reply to this message with feedback but instead send a separate post for each major issue. Feel free to bunch small comments into one post. This will help facilitate our discussion. The spec is now 50 pages before adding the security consideration and signature workflow. Its big. I would appreciate any feedback you can spare so we can decide next week if it is ready for a -00. Thanks! EHL _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
