On 2012-07-09 15:55, Julian Reschke wrote:
On 2012-07-09 09:08, Mike Jones wrote:
A preliminary version of OAuth core draft -29 is attached for the
working group’s consideration and discussion on today’s call. I believe
that this addresses all issues that have been raised, including Julian’s
issues about the ABNF, character sets, and form encoding. Changes are:
* Added "MUST" to "A public client that was not issued a client
password MUST use the client_idrequest parameter to identify itself
when sending requests to the token endpoint" and added text
explaining why this must be so.
* Added that the authorization server MUST "ensure the authorization
code was issued to the authenticated confidential client or to the
public client identified by the client_idin the request".
* Added Security Considerations section "Misuse of Access Token to
Impersonate Resource Owner at Public Client".
* Deleted ";charset=UTF-8" from examples formerly using "Content-Type:
application/x-www-form-urlencoded;charset=UTF-8".
* Added the phrase "and a character encoding of UTF-8" when describing
how to send requests using the HTTP request entity-body, per Julian
Reschke's suggestion.
I still think that citing HTML4 here doesn't work; the definition of the
media type in HTML4 is known to be insufficient. What's the reason for
not citing the HTML4 working draft here?
> ...
s/4/5/, of course.
Best regards, Julian
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
