Hi (as individual),
I have reviewed this version of the document and I have the following
comments/questions:
Section 2.1, page 8, last paragraph:
"In the absence of one-time-use or other semantics specific to the
token type, the act of performing a token exchange has no impact on
the validity of the subject token or actor token."
Would the validity of the new issued token be impacted later on by the
validity of the subject or actor tokens?
Section 2.2.2, page 10, second paragraph:
"If the authorization server is unwilling or unable to issue a token
for all the target services indicated by the "resource" or "audience"
parameters, the "invalid_target" error code MAY be used in the error
response."
Can you please elaborate on why the above text is using "MAY" for the use
of "invalid_target" in this case?
Section 4.1, page 14, second paragraph:
"However, claims within the "act" claim pertain only to the identity
of the actor and are not relevant to the validity of the containing
JWT in the same manner as the top-level claims. Consequently, claims
such as "exp", "nbf", and "aud" are not meaningful when used within
an "act" claim, and therefore should not be used."
If the "exp", "nbf", and "aud" claims are not meaningful inside the "act"
claim, why is the sentence stating that it "should not be used"?
Would it not be more appropriate to state that it "must not be used"
instead?
Regards,
Rifaat
On Fri, Jun 2, 2017 at 3:05 PM, Rifaat Shekh-Yusef <[email protected]>
wrote:
> All,
>
> We are starting a WGLC on the Token Exchange document:
> https://www.ietf.org/id/draft-ietf-oauth-token-exchange-08
>
> Please, review the document and provide feedback on any issues you see
> with the document.
>
> The WGLC will end in two weeks, on June 17, 2017.
>
> Regards,
> Rifaat and Hannes
>
>
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
