In reviewing RAR, I noticed a couple things. I've submitted the editorial suggestions below as a PR.
* Changed "the requested scope, i.e., the permission, of an access token" to "the requested scope, i.e., the limited capability, of an access token". Scope isn't defined as "permission" in OAuth 2.0. Permissions are often handled by internal mechanisms other than scopes, and scopes are more about limiting the capability of an access token. * Clarified the description of Token Introspection * "the user consent" -> "the user consent prompt" * "attacker vector" -> "attack vector" https://github.com/oauthstuff/draft-oauth-rar/pull/90 I have some other notes as well, which I didn't have a quick fix for to suggest in the PR. https://www.ietf.org/archive/id/draft-ietf-oauth-rar-14.html#section-9.1 Would it be more appropriate to reference the JWT Access Token spec (RFC9068) rather than just the JWT spec (RFC7519) now that it's an RFC? https://www.ietf.org/archive/id/draft-ietf-oauth-rar-14.html#section-9.2 Section 9.2 about the token introspection response is missing normative language about whether and what specifically is recommended. The section 9.1 above does have "RECOMMENDED" for the authorization_details parameter. I think this should match, but I'm not clear on exactly where this should go. Perhaps this also suggests that "The authorization_details member contains..." is ambiguous as to whether this is normative or just a suggestion, and should be fixed as well. https://www.ietf.org/archive/id/draft-ietf-oauth-rar-14.html#section-10 Again, "The AS publishes" and "Clients announce" are missing a keyword "MUST/SHOULD/MAY", so it's not clear whether these are required. https://www.ietf.org/archive/id/draft-ietf-oauth-rar-14.html#section-11.3 "the JSON schema id" should this be "the JSON Schema ID" or "the JSON Schema `id`"? https://www.ietf.org/archive/id/draft-ietf-oauth-rar-14.html#section-13 Is this a "MUST" or a "must"? "to learn the user data" - this sounds awkward, should it be "the user's data"? Not sure if there is a better suggestion. --- Aaron Parecki https://aaronparecki.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
