Thanks for catching the typo.
Regarding the IPR (or more copyright) there is an open issue that I was
not able to resolve since neither Scott Bradner nor Jorge (the IETF
lawyer) responded to me.
I updated the write-up!
Ciao
Hannes
On 01/29/2015 12:31 AM, Kathleen Moriarty wrote:
Hi Hannes,
In SPOP/PKCE §1.1 [1] the figure and explanation have the authorization
request going to the Resource Owner and goes on to say that 'the resource
owner responds as usual, but records t(code_verifier) and the
transformation method.' That's not what the resource owner does.
I know the protocol flow
++ +---+
||--(A)-- Authorization Request ---| |
||+ t(code_verifier), t | Authorization |
|| |Endpoint |
|
Works for me. The text below needs to be fixed up to match too.
On Thu, Jan 29, 2015 at 3:14 PM, John Bradley ve7...@ve7jtb.com wrote:
How about
++ +---+
||--(A)-- Authorization Request ---| |
||
How about
++ +---+
||--(A)-- Authorization Request ---| |
||+ t(code_verifier), t | Authorization |
|| |Endpoint |
||-(B)-
Good by me.
On Thu, Jan 29, 2015 at 3:35 PM, John Bradley ve7...@ve7jtb.com wrote:
++ +---+
||--(A)-- Authorization Request ---| |
||+ t(code_verifier), t | Authorization |
FYI, we are now tracking this issue at:
https://bitbucket.org/Nat/oauth-spop/issue/32/clean-up-definitions
2015-01-30 8:15 GMT+09:00 Brian Campbell bcampb...@pingidentity.com:
In §2 [1] we've got SHA256(STRING) denotes a SHA2 256bit hash [RFC6234]
of STRING.
But, in the little cow town