Thanks for the review Torsten! ... comments inserted ... On Tue, Jul 17, 2018 at 11:59 AM, Torsten Lodderstedt < tors...@lodderstedt.net> wrote:
> Hi Dick, > > I like the draft! It puts together some best practices relevant for > dynamic OAuth in a reasonable way. > > Some comments: > > Section 2: > I appreciate the idea to let the resource determine its resource URI > (later used as aud of the access token). This will allow the RS to segment > and group its resources as needed. > :) > > Section 3: > Don’t you think it could be a useful information to have the resource URI > available in the authorization flow?I would assume it could have some > additional meaning to the AS and could also be the context of the scope. > I'm assuming you are referring to the Authorization Code Grant. Good call out that the resource URI would be useful in the redirect. The use cases that I have been working with have all been Client Credential Grants I currently don't know of a real world use case for the Authorization Code Grant for Distributed OAuth. > > Section 4: > I think the client MUST authenticate using a PoP (asymmetric crypto based) > mechanisms due to the attack angle given in 6.3 > Did you intentionally restricted the draft to single resources? yes > I would desire support for an integrated UI flow for authorizing access to > multiple resources at once. This makes sense in multi-service deployments.. > It could be. Would be great to get some real use cases for that in an Authorization Code Grant. > > Section 6.1. > I suggest you also refer to https://tools.ietf.org/html/ > draft-ietf-oauth-security-topics-06#section-3.7 for a comprehensive > discussion of this threat. > Thanks > > kind regards, > Torsten. > > > > Am 12.06.2018 um 21:28 schrieb Dick Hardt <dick.ha...@gmail.com>: > > > > Hey OAuth WG > > > > I have worked with Nat and Brian to merge our concepts and those are > captured in the updated draft. > > > > https://datatracker.ietf.org/doc/draft-hardt-oauth-distributed/ > > > > We are hopeful the WG will adopt this draft as a WG document. > > > > Any comments and feedback are welcome! > > > > /Dick > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
