On Sun, Feb 20, 2011 at 3:47 PM, Eran Hammer-Lahav <[email protected]>wrote:
> How do you envision this being incorporated into v2? Just section 5 or the > entire document? > My two cents: rather than dedicating a single section of the core doc to security considerations, smaller sections should be added to individual profiles. I think the following sections would be useful: User-agent and web-server flow: mostly the same security considerations for these two flows. I think there are subsections here. 1) Authorization server implementation 2) Client implementation Token design: Design and implementation recommendations for refresh tokens and access tokens. Client id, client secret, and assertions: when and how to use client secrets, when and how to use assertions, how to store, etc... Other flows: each of the other flows has separate security considerations. In some cases they are brief, but they pretty much always need to be there. Cheers, Brian
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
