I second the request to enhance the security considerations section to
address any known issues identified with the flow (e.g. phishing, client
impersonation, etc). The polling/state issues are likely not at the same
scale for other providers, as they are for Google, so I think this flow
still
Naveen, I have to disagree with your recommendation that we not finish this
work. People have been using variants of the device flow for years.
Standardizing it will improve interoperability. Also, standardizing it will
make the security considerations for using it commonly available to
impl
On Wed, May 30, 2018 at 6:06 PM, William Denniss
wrote:
>
> On Wed, May 30, 2018 at 3:48 PM, Brian Campbell <
> bcampb...@pingidentity.com> wrote:
>
>> I realize this is somewhat pedantic but I don't think referencing 4.1.2.1
>> works given how RFC 6749 set things up. Rather I believe that the de
A new meeting session request has just been submitted by Hannes Tschofenig, a
Chair of the oauth working group.
-
Working Group Name: Web Authorization Protocol
Area Name: Security Area
Session Requester: Hannes Tschofenig
Number of Ses
I have a general concern on making the device flow a standard as this
suffers from a number of issues that are quite fatal. At Google we have
limited this flow to be used for very basic/limited scopes as phishing
concerns are very real. Also the protocol suffers from clients polling
(overloading th
