Latest is always at: http://github.com/theRazorBlade/draft-ietf-oauth
(xml is always up to date. txt and html when I can. Atom feed available) --- Latest changes: - Split authorization endpoint to authorization and token endpoints. - Shortened type parameter values to just the flow name. - Removed the Native Application flow. - Renamed Web Callback flow (back) to Web Server flow. - Made client secret optional in Web Server flow. - Moved User-Agent flow to top of list. - Renamed 'redirection' and 'callback' to 'redirect_uri'. - A few other small things I can't recall... Please review sections 1-5 and submit any changes needed for a -00 draft. This means focus on critical changes that should be made before the document is considered a starting point for the working group. I have asked the chairs for a consensus call about promoting this to a working group draft on 4/19 so please submit feedback as soon as possible (you had a few weeks already). Open issues: * restriction on token string characters * specificity of the assertion flow * parameter name prefix * username parameter proposal * scope parameter * limiting signed requests to use the auth header (no query / form body) * separation of client authentication from flows Closed issues: * requiring HTTPS for bearer token protected resource requests * token size limit * single authorization endpoint * inclusion of both user-agent flow and native application flow * adding refresh token as optional in all access token requests Please (PLEASE) don't reply to this message with feedback but instead send a separate post for each major issue. Feel free to bunch small comments into one post. This will help facilitate our discussion. Thanks! EHL _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
