Hi all, I'm arriving pretty late to the OAuth party, so please bear with me. I just finished my first end-to-end read of the v2 spec and noticed some minor issues. I wish I had some profound contribution to make but initially it's a lot easier to notice the trivial details :) And sometimes such details are missed by those with more experience because it's easy to glance over things knowing what they are *supposed* to say rather than what they might really say. So hopefully there's still some value in a newbie brining up the tirvial stuff. And with that said, here's what I noticed:
* On pages 38/39 in Section 3.10.1 there is a parameter name conflict where "format" is used both for the client indicating the assertion format as well as the requested response format. The parameter is used in other flows for the latter meaning so, for consistency, it seems like it would make sense to rename the assertion format parameter to something like "assertion_format". * In describing the optional "format" parameter the text, 'Defaults to "json" if no omitted' seems to have a typo and maybe need a few more or a few less words :) The same content shows up is in several places on pages 24, 28, 30, 33, 36, 39 & 41. * On pages 28/29 the client polling interval is given inconsistent normative treatment. On page 28 it's a suggestion, "The minimum amount of time in seconds that the client SHOULD wait between polling requests to the token endpoint." but on the next page it's stronger, "The client makes the following request at an arbitrary but reasonable interval which MUST NOT exceed the minimum interval rate provided by the authorization server (if present via the "interval" parameter)." * On page 41 in section 4 after the first example the paragraph starts with "verify the client credential, the validity of the refresh token..." - seems like somethings missing here? Regards, Brian Campbell _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
