On Nov 10, 2019, at 2:02 PM, Lee McGovern <[email protected]> wrote: > > > 3.1 - "Clients MUST memorize which authorization server they sent an > authorization request to" - is memorize the best synonym here, perhaps store > or retain is more aligned with computational language?
Store, retain, persist are all common. > > 3.1.2 How does the draft > https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-02 align > with this guidance and will a future BCP update include a direct reference to > the final published version of this spec? The dependency will be the other way - Browser-Based Apps will inform AS and RS implementors/operators what they need to do to allow javascript clients, and browser clients will have guidance toward meeting the Security BCP, where possible. Other drafts like DPoP exist to try to reduce the delta between the security BCP and what is feasible to deploy in browsers today. > 3.5, 3.6 Since there is a reference to the MTLS draft could there also be > some guidance on the usage of token exchange best practise and also for the > contents of the access token to be aligned > https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-02 > -DW _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
