Thanks Mike, the updated spec looks good! I have a question related to PKCE:
The PKCE spec seems to imply that an AS may require public clients to use a code challenge: https://tools.ietf.org/html/rfc7636#section-4.4.1 If an AS has such a policy in place, how is this to be advertised? Or is that supposed to the enforced when the client gets registered (there are no reg params for that at present)? On 28/01/16 19:27, Mike Jones wrote: > The OAuth Discovery specification has been updated to add metadata values for > revocation<http://tools.ietf.org/html/rfc7009>, > introspection<http://tools.ietf.org/html/rfc7662>, and > PKCE<http://tools.ietf.org/html/rfc7636>. Changes were: > > * Added "revocation_endpoint_auth_methods_supported" and > "revocation_endpoint_auth_signing_alg_values_supported" for the revocation > endpoint. > > * Added "introspection_endpoint_auth_methods_supported" and > "introspection_endpoint_auth_signing_alg_values_supported" for the > introspection endpoint. > > * Added "code_challenge_methods_supported" for PKCE. > > The specification is available at: > > * http://tools.ietf.org/html/draft-jones-oauth-discovery-01 > > An HTML-formatted version is also available at: > > * http://self-issued.info/docs/draft-jones-oauth-discovery-01.html > > -- Mike > > P.S. This note was also published at http://self-issued.info/?p=1531 and as > @selfissued<https://twitter.com/selfissued>. > > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth -- Vladimir Dzhuvinov
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
