One of the use cases brought up in the ROPC thread mentioned that redirect was hard to do in some cases (like IoT). This reminded me of RFC8628, the OAuth Device Authorization Grant. I mention it because for *some* of the cases who say redirection is hard may be able to use the Device Authz Grant.
Would it be worth including a section in OAuth 2.1 referencing RFC8628 or, possibly incorporating it? Phil Hunt @independentid [email protected]
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
