All, I finally had a chance to look through this latest (adopted) draft, and I like the simplicity this brings over dynamic client registration. That said, I have a couple quick comments/questions:
1. What about PKCE/OpenID "native" authorization with a redirect URI of "http://127.0.0.1/some/path";? There is discussion of "maybe the AS will require same-origin URIs" but that would preclude native auth flows. Would be nice to talk about it and, if optional, have some guidance about what the AS does. 2. What is the error if a client_id using this scheme on the authorization endpoint isn't acceptable? "unauthorized_client"? Thanks to the AS metadata, I can see supporting this in the CUPS OAuth client fairly quickly... ________________________ Michael Sweet _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
