I've just read through the current spec, and had a few quick questions/observations (some obvious, just making a note of them):
1). Is there a recommended way of signing the entire body of a request (other than SSL)? 2). The end of the doc seems unfinished, specifically: 6.1.2. The 'authorization-uri' Attribute, 6.1.3. The 'algorithms' Attribute, 6.1.4. The 'error' Attribute. 3). 6.1.2 should probably be called "auth-uri" to match the attribute name given previously, and there is no mention of a corresponding "token-uri" section. 4). 3.5.3.1. Client Requests Authorization: The example includes "device_code", which should be "code" as listed in the parameters above 5). Not sure why the redirect_uri can't contain a query component if 'state' is present? Seems like a weird restriction. Apologies if this stuff has been covered, I'm still catching up on the list. Cheers, Beau _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
