Hi Aaron, I just reviewed the latest update. Thank you for this very interesting guideline!
Here are my thoughts: - Section 4: "For authorizing users within a browser-based application" I would like to know whether this guide is for JavaScript Applications (such as SPas), for Browser Extensions, or for both? - Section 5: "applicaiton" -> "application"; "an web email" -> "a web email" - Section 6: "and MUST use a unique value for each authorization request." I would prefer: 'The "state" parameter MUST be a unique value for each authorization request, which is bound to the end-user's HTTP session, and must be verified upon receiving it in the authorization response.' Otherwise, it sounds like a nonce for me. - Section 7.3: "If authorization servers restrict redirect URIs to a fixed set of absolute HTTPS URIs without wildcard domains or paths" Covert redirect can be used by abusing unprotected GET parameters (which are technically not the PATH). So maybe it would be better to say simply "without wildcards" or "without wildcard domains, paths, or querys"? - Section 7.6: "dynamic registration" -> "dynamic client registration" Best Regards Christian -- Dr.-Ing. Christian Mainka Horst Görtz Institute for IT-Security Chair for Network and Data Security Ruhr-University Bochum, Germany Universitätsstr. 150, ID 2/463 D-44801 Bochum, Germany Telefon: +49 (0) 234 / 32-26796 Fax: +49 (0) 234 / 32-14347 http://nds.rub.de/chair/people/cmainka/ @CheariX _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth