Dear working group, Some weeks ago I shared a link to a draft that I called the OAuth Client Challenge Protocol. https://datatracker.ietf.org/doc/draft-kahrer-oauth-client-challenge-protocol/
I would very much appreciate some more and honest feedback on the proposal. - What are your thoughts about conditional access control for clients? Have you seen (or expect to see) a need for it in your work? - Do you find the proposal useful in that context? - Have you done, used or seen something similar in the past? - What kind (type) of challenge do you think are needed or most useful? - What would you change in the proposed protocol? I have considered returning a 401 HTTP code in the token response for a while but came to the conclusion that it would actually limit the kind of challenges the authorization server can request from the client because it would require an HTTP authentication scheme in the WWW-Authenticate header. Therefore, I think, HTTP 403 fits best. Looking forward to some discussions! - Judith
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
