Thanks for the review Filip!

I've published an updated version that includes your edits:
https://www.ietf.org/archive/id/draft-ietf-oauth-first-party-apps-04.html

I also took this opportunity to incorporate a bit of feedback that was
sitting in GitHub issues from after the March meeting. Mostly adding
examples, and a call-out to follow the OAuth Security BCP when falling back
to redirect flows.

This review also pointed out an inconsistency in the HTTP response codes.
One example used 401 but didn't include the WWW-Authenticate header that's
required for 401. So I changed those to 403 to better fit the definition of
the response code.

Aaron



On Fri, Jun 26, 2026 at 12:44 AM Filip Skokan <[email protected]> wrote:

> I've reviewed the document and support its publication. I've proposed a
> number of editorial fixes in a PR
> <https://github.com/oauth-wg/oauth-first-party-apps/pull/178> to
> resolve typos, grammar, and general inconsistencies in wording used
> throughout the document.
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Thu, 25 Jun 2026 at 20:38, Rifaat Shekh-Yusef via Datatracker <
> [email protected]> wrote:
>
>> This message starts a WG Last Call for:
>> draft-ietf-oauth-first-party-apps-03
>>
>> This Working Group Last Call ends on 2026-07-13
>>
>> Abstract:
>>    This document defines the Authorization Challenge Endpoint, which
>>    supports clients that want to control the process of obtaining
>>    authorization from the user using a native experience.
>>
>>    In many cases, this can provide an entirely browserless OAuth 2.0
>>    experience suited for native applications, only delegating to the
>>    browser in unexpected, high risk, or error conditions.
>>
>> File can be retrieved from:
>>
>> Please review and indicate your support or objection to proceed with the
>> publication of this document by replying to this email keeping
>> [email protected]
>> in copy. Objections should be explained and suggestions to resolve them
>> are
>> highly appreciated.
>>
>> Authors, and WG participants in general, are reminded of the Intellectual
>> Property Rights (IPR) disclosure obligations described in BCP 79 [1].
>> Appropriate IPR disclosures required for full conformance with the
>> provisions
>> of BCP 78 [1] and BCP 79 [2] must be filed, if you are aware of any.
>> Sanctions available for application to violators of IETF IPR Policy can be
>> found at [3].
>>
>> Thank you.
>>
>> [1] https://datatracker.ietf.org/doc/bcp78/
>> [2] https://datatracker.ietf.org/doc/bcp79/
>> [3] https://datatracker.ietf.org/doc/rfc6701/
>>
>> The IETF datatracker status page for this Internet-Draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-first-party-apps/
>>
>> There is also an HTML version available at:
>> https://www.ietf.org/archive/id/draft-ietf-oauth-first-party-apps-03.html
>>
>> A diff from the previous version is available at:
>>
>> https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-first-party-apps-03
>>
>> _______________________________________________
>> OAuth mailing list -- [email protected]
>> To unsubscribe send an email to [email protected]
>>
>
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to