Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE

Fri, 29 Jan 2016 05:16:23 -0800 

Good question.

It's probably a good idea to be able to advertise this policy in the
discovery.

Perhaps in the line of

pkce_required or rfc7636_required?
The value should be Boolean.

Nat from iPhone


2016年1月29日(金) 21:23 Vladimir Dzhuvinov <[email protected]>:

> Thanks Mike, the updated spec looks good!
>
> I have a question related to PKCE:
>
> The PKCE spec seems to imply that an AS may require public clients to use
> a code challenge:
>
> https://tools.ietf.org/html/rfc7636#section-4.4.1
>
> If an AS has such a policy in place, how is this to be advertised? Or is
> that supposed to the enforced when the client gets registered (there are no
> reg params for that at present)?
>
>
> On 28/01/16 19:27, Mike Jones wrote:
>
> The OAuth Discovery specification has been updated to add metadata values for 
> revocation<http://tools.ietf.org/html/rfc7009> 
> <http://tools.ietf.org/html/rfc7009>, 
> introspection<http://tools.ietf.org/html/rfc7662> 
> <http://tools.ietf.org/html/rfc7662>, and 
> PKCE<http://tools.ietf.org/html/rfc7636> 
> <http://tools.ietf.org/html/rfc7636>.  Changes were:
>
> *       Added "revocation_endpoint_auth_methods_supported" and 
> "revocation_endpoint_auth_signing_alg_values_supported" for the revocation 
> endpoint.
>
> *       Added "introspection_endpoint_auth_methods_supported" and 
> "introspection_endpoint_auth_signing_alg_values_supported" for the 
> introspection endpoint.
>
> *       Added "code_challenge_methods_supported" for PKCE.
>
> The specification is available at:
>
> *       http://tools.ietf.org/html/draft-jones-oauth-discovery-01
>
> An HTML-formatted version is also available at:
>
> *       http://self-issued.info/docs/draft-jones-oauth-discovery-01.html
>
>                                                           -- Mike
>
> P.S.  This note was also published at http://self-issued.info/?p=1531 and as 
> @selfissued<https://twitter.com/selfissued> <https://twitter.com/selfissued>.
>
>
>
>
>
> _______________________________________________
> OAuth mailing [email protected]https://www.ietf.org/mailman/listinfo/oauth
>
>
> --
> Vladimir Dzhuvinov
>
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
>

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to