I finished the major part of -17, adding a new Client registration section and
folding client authentication into it. This new text attempts to directly
address:
* client authentication requirements
* define client types with regard to keeping secrets
* set registration requirements
* properly explain client identifier
* replace client credentials with a more generic client authentication (in
terms used throughout the document)
* provide a comprehensive discussion of redirection URIs (this is where the few
normative changes are)
* tweak the implicit and authorization code intros to better reflect reality
('optimized for')
* separate client identifier from client authentication (keep binding
requirement)
Normative changes (this should be verified):
* require client authentication for private clients (previously implied)
* require redirection endpoint registration for implicit grant and all for
public clients requests
* remove client_id as a required parameter from the token endpoint (now back to
being part of the client_secret pair)
The draft includes other changes like new error codes, but I'll list those when
the draft is published. I still have about 32 more items on my list to apply
before publishing, but the major changes are done.
You can always find the latest here:
https://github.com/hueniverse/draft-ietf-oauth
Early review of the following sections would be GREALY appreciated:
2. Client Registration
2.1. Client Types
2.2. Registration Requirements
2.3. Client Identifier
2.4. Client Authentication
2.4.1. Client Password
2.4.2. Other Authentication Methods
2.5. Unregistered Clients
3.1.2. Redirection URI
3.2.1. Client Authentication
-17 will be published by Friday at which point I will leave it to the chairs to
decide if they still want to initiate WGLC or give the draft a few days of
informal review.
EHL
> -----Original Message-----
> From: Eran Hammer-Lahav
> Sent: Monday, July 04, 2011 10:09 PM
> To: OAuth WG
> Subject: Timely review request: pre-draft-17
>
> I have started sharing my planned changes for 17:
>
> https://github.com/hueniverse/draft-ietf-oauth
>
> Change log:
>
> https://github.com/hueniverse/draft-ietf-
> oauth/commit/24a48f99c204331264028
> f66708427961a1bc102#diff-3
>
>
> My main focus right now is to clarify client types, registration, and
> identification, as well as tweak the registration requirements for redirection
> URIs. This is still very raw. However, I would very much like to get feedback
> about the following sections:
>
> 1.1.1. Client Types
> 1.2. Client Registration
>
> 2.1.1. Redirection URI
>
>
> In section 2.1.1, please note that it includes many new normative
> requirements, but in practice, they mostly boil down to the requirement to
> register a redirection URI for using the implicit grant type as well as using
> the
> authorization code with a public client (new term for describing client
> incapable of keeping secrets).
>
> I have turned the spec around, making registered redirection URIs the
> default, and using the parameter as an optional feature.
>
> Feedback is very much appreciated as we only have a few more days before I
> have to push out -17 and would like a few more eyes looking at the new text
> before published.
>
> I am still not ready to share changes to section 3. Also, I have a long list
> of
> additional changes raised on the list.
>
> Thanks,
>
> EHL
>
>
>
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
