3.1 - "Clients MUST memorize which authorization server they sent an authorization request to" - is memorize the best synonym here, perhaps store or retain is more aligned with computational language?
3.1.2 How does the draft https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-02 align with this guidance and will a future BCP update include a direct reference to the final published version of this spec? 3.5, 3.6 Since there is a reference to the MTLS draft could there also be some guidance on the usage of token exchange best practise and also for the contents of the access token to be aligned https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-02 ---------------------------------------------------------------------- Date: Wed, 6 Nov 2019 08:26:49 +0000 From: Hannes Tschofenig <[email protected]> To: "[email protected]" <[email protected]> Subject: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice" Message-ID: <vi1pr08mb5360fbbaf0d3a38bdbed618bfa...@vi1pr08mb5360.eurprd08.prod.outlook.com> Content-Type: text/plain; charset="us-ascii" Hi all, this is a working group last call for "OAuth 2.0 Security Best Current Practice". Here is the document: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13 Please send you comments to the OAuth mailing list by Nov. 27, 2019. (We use a three week WGLC because of the IETF meeting.) Ciao Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. This e-mail, including attachments, is intended for the person(s) or company named and may contain confidential and/or legally privileged information. Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited. If you are not the intended recipient, please delete this message and notify the sender. All incoming and outgoing e-mail messages are stored in the Swiss Re Electronic Message Repository. If you do not wish the retention of potentially private e-mails by Swiss Re, we strongly advise you not to use the Swiss Re e-mail account for any private, non-business related communications. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
