Re: [OAUTH-WG] Preliminary OAuth Core draft -29

Mon, 09 Jul 2012 08:45:40 -0700 

Given we are making the changes to the public client code flow.

I would change the name of the security consideration to:
> Misuse of Access Token to Impersonate Resource Owner in Implicit Flow

Sorry I forgot to change that when I sent it.

John B.

On 2012-07-09, at 3:08 AM, Mike Jones wrote:

> A preliminary version of OAuth core draft -29 is attached for the working 
> group’s consideration and discussion on today’s call.  I believe that this 
> addresses all issues that have been raised, including Julian’s issues about 
> the ABNF, character sets, and form encoding.  Changes are:
>  
> Added "MUST" to "A public client that was not issued a client password MUST 
> use the client_id request parameter to identify itself when sending requests 
> to the token endpoint" and added text explaining why this must be so.
> Added that the authorization server MUST "ensure the authorization code was 
> issued to the authenticated confidential client or to the public client 
> identified by the client_id in the request".
> Added Security Considerations section "Misuse of Access Token to Impersonate 
> Resource Owner at Public Client".
> Deleted ";charset=UTF-8" from examples formerly using "Content-Type: 
> application/x-www-form-urlencoded;charset=UTF-8".
> Added the phrase "and a character encoding of UTF-8" when describing how to 
> send requests using the HTTP request entity-body, per Julian Reschke's 
> suggestion.
> Added "The ABNF below is defined in terms of Unicode code points [UNICODE5]; 
> these characters are typically encoded in UTF-8".
> For symmetry when using HTTP Basic authentication, also apply the 
> application/x-www-form-urlencoded encoding to the client password, just as 
> was already done for the client identifier.
> Reduced multiple blank lines around artwork elements to single blank lines.
> Removed Eran Hammer's name from the author list, at his request. Dick Hardt 
> is now listed as the editor.
>  
>                                                             Best wishes,
>                                                             -- Mike
>  
> <draft-ietf-oauth-v2-29 preliminary.txt><draft-ietf-oauth-v2-29 
> preliminary.html><draft-ietf-oauth-v2-29 
> preliminary.pdf><draft-ietf-oauth-v2-29 
> preliminary.xml>_______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to