Hello,

Thank you for your work on draft-ietf-oauth-introspection-07.  The security
considerations appear to be addressed well and I was glad to see how a
response is handled when the response code is false, to not reveal
information as to why.

The privacy considerations look good, but I do have another question that
should be addressed in the draft in regard to privacy.

Section 2.1 says an IP address (or something else) might be used to provide
context of the query, the authorization server could have other information
about the client.  It would be good to mention privacy related
considerations for the client in this case in addition to what gets
returned in the Introspection Response (already covered).

Thank you.


-- 

Best regards,
Kathleen
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to