I didn't get to finish the editorial changes I want to make so I pushed the
incomplete but stable draft out as -11. This includes all the normative
language changes the group agreed on, as well as all the feedback I had for
-10. The remaining editorial work should not change any implementation details.
It will just impact the document organization.
Changes in -11 include:
-11
o Many editorial changes. Fixed user authorization section
structure. Removed unused normative references. Adjusted
language regarding single use of authorization codes.
o Fixed header ABNF.
o Change access token description from shared symmetric secret to
password.
o Moved access grant 'none' to a separate section, renamed to
'client_credentials'.
o Demoted the HTTP status code requirement from MUST to SHOULD in
protected resource response error.
o Removed 'expired_token' error code.
o Moved all the 'code_and_token' parameter to the fragment (from
code being in the query).
o Removed 'assertion_type' parameter (moved to 'grant_type').
o Added note about redirecting to invalid redirection URIs (open
redirectors).
o Removed bearer token section, added new required 'token_type'
parameter with extensibility.
o 'error-uri' parameter value changed to absolute URI.
o OAuth 2.0 HTTP authentication scheme name changed to 'OAuth2'.
o Dropped the 'WWW-Authenticate' header field 'realm' parameter.
o Removed definition of access token characters.
o Added instructions for dealing with error and an invalid
redirection URI.
Please provide feedback and review the document fully, even with the pending
editorial changes. IOW, please consider this document the final draft (pre-WG
last call) for all normative/implementation language.
EHL
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
