Hi all, Based on some of the discussions from our virtual interim meeting and the OAuth Security Workshop, I published a (minor) update to the browser app BCP.
https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07 The primary changes are: * Revised the language around PKCE/Implicit to clarify that PKCE applies only when issuing access tokens * Clarified that ASs MUST NOT issue access tokens in the authorization response * Changed "MUST" to "SHOULD" for rotating refresh tokens * Editorial clarifications to the summary bullet point section I believe these changes reflect all the latest discussions we've had. There are still some outstanding items I am aware of that need adding to the document as well. Apologies for the delay in getting this out. I hope we can pick up the momentum on this document again! Aaron Parecki On Fri, Oct 2, 2020 at 4:36 PM <[email protected]> wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Authorization Protocol WG of the IETF. > > Title : OAuth 2.0 for Browser-Based Apps > Authors : Aaron Parecki > David Waite > Filename : draft-ietf-oauth-browser-based-apps-07.txt > Pages : 21 > Date : 2020-10-02 > > Abstract: > This specification details the security considerations and best > practices that must be taken into account when developing browser- > based applications that use OAuth 2.0. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07 > > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-07 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-browser-based-apps-07 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
