On 02/17/2013 05:54 AM, Torsten Lodderstedt wrote:
Hi Justin,
the new revision seems to catch the state of discussion and is
consistent. Thank's for bringing this topic forward.
On your editor's not in section 4.2.: In my opinion, the 404 due to a
none-existing resource should precede the 403. I would suggest to
point out your thoughts on the access token. But as with any HTTP
request, there could be other ways to authenticate to this endpoint. I
therefore would not connect both aspects to much.
From our own implementation, the code that processes the token would
fire (and fail) long before the code that checks if the client is valid
gets reached. So for us, checking if the client exists in the first
place is difficult.
What if we just say it's a 403 if either the client or the token are
invalid?
section 4.3
"This request MUST include all fields described in Client Metadata
(Section 2) as returned to the Client from a previous register, read,
or update operation."
Just to make sure I got it. Any data element omitted in this request
is deleted/reset by the AS?
That's the intent. The AS is free to fill in or reject any fields the
client omits, if it wants to.
section 5.1
Something seems to be missing at
"The response contains the following fields:
, as well as a Client Secret if this client is a confidential client."
Vestigial formatting from shuffling sections around. Thanks for catching
that!
-- Justin
regards,
Torsten.
Am 15.02.2013 23:00, schrieb Richer, Justin P.:
Everyone, there's a new draft of DynReg up on the tracker. This draft
tries to codify the discussions so far from this week into something
we can all read. There are still plenty of open discussion points and
items up for debate. Please read through this latest draft and see
what's changed and help assure that it properly captures the
conversations. If you have any inputs for the marked [[ Editor's Note
]] sections, please send them to the list by next Thursday to give me
opportunity to get any necessary changes in by the cutoff date of
Monday the 22nd.
Thanks for all of your hard work everyone, I think this is *really*
coming along now.
-- Justin
On Feb 15, 2013, at 4:54 PM, [email protected] wrote:
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Web Authorization Protocol Working
Group of the IETF.
Title : OAuth Dynamic Client Registration Protocol
Author(s) : Justin Richer
John Bradley
Michael B. Jones
Maciej Machulak
Filename : draft-ietf-oauth-dyn-reg-06.txt
Pages : 21
Date : 2013-02-15
Abstract:
This specification defines an endpoint and protocol for dynamic
registration of OAuth Clients at an Authorization Server.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg
There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-06
A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dyn-reg-06
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
