Hi Vittorio,
Yeah, this does make a bit of sense. So, the goal is to guide implementors from
making bad choices, not from a security perspective. Meaning, it's not a
security risk that a client does inspect or analyze the token. Instead, it's is
an interop issue and thus we are guiding
If I may, step in and offer a suggestion.
What if instead of "MUST NOT" replace with "SHOULD NOT"?
To me, (and this might be me), but MUST NOT describes a violation. As in I
broke the law. Conversely, I interpret, "SHOULD NOT" as a recommendation, a
guideline, best practice, etc.
If then the
As a clarifying question, you are saying "Servers must support" and not
"Servers must require clients to use PKCE".
-Jared
Skype:jaredljennings
Signal:+1 816.730.9540
WhatsApp: +1 816.678.4152
On Wed, May 6, 2020 at 4:04 PM Mike Jones wrote:
> As is being discussed in the thread “[OAUTH-WG]
Not exactly the same, but seems similar to some of the proposed logic in
https://tools.ietf.org/wg/oauth/draft-ietf-oauth-incremental-authz/
-Jared
Skype:jaredljennings
Signal:+1 816.730.9540
WhatsApp: +1 816.678.4152
On Tue, May 5, 2020 at 10:19 AM Jim Schaad wrote:
> Over in the ACE working
I will be taking notes using the following link.
https://docs.google.com/document/d/1tPxkaOf74szvDLSEpzXV8lMgSEwcHYMC73OUOv3BKxQ/edit?usp=sharing
-Jared
Skype:jaredljennings
Signal:+1 816.730.9540
WhatsApp: +1 816.678.4152
On Fri, May 8, 2020 at 5:25 PM Rifaat Shekh-Yusef
wrote:
> All,
>
>
I'll be taking notes here
https://docs.google.com/document/d/1gVTUzkMFvS-XyrYBiXOqbUnl5zp5nlhZf57oKFY2bzc/edit?usp=sharing
Of course, Rifaat will publish once complete.
-Jared
Skype:jaredljennings
Signal:+1 816.730.9540
WhatsApp: +1 816.678.4152
On Sun, May 3, 2020 at 4:02 PM Rifaat
Hi all,
I know I am super new to the list, so bare with me with my
observations that I would like share with the group. Probably no one in the
list knows me, but I am used to online forms, mailing lists and I been
involved in various open source applications for many years. So, these
comments do
I have a question about the example and maybe it's more for
clarification than anything.
The example contains type and also location.
A couple of things
1. Would it add clarity if the domain was the same for both? vs. someorg.com
/ example.com
2. While only an example, would it bring clerity to
Perfect, and really good info! but most people, if we need to worry about
the audience, are not going to put that together. They just read "OAUTH".
It's not a deal breaker, but if the document is going to be easy to read
and keep confusion to a minimum... then it would be nice if it addressed
I agree, but would add that as long as it says "this is being drop", but
does not impact "that", then the reader can understand context. "This does
not change support for implicit response that OpenID Connect (OIDC) makes
use of".
my two cents.
-Jared
Skype:jaredljennings
Signal:+1 816.730.9540
+1
-Jared
Skype:jaredljennings
Signal:+1 816.730.9540
WhatsApp: +1 816.678.4152
On Mon, Nov 25, 2019 at 8:08 AM Neil Madden
wrote:
> On 25 Nov 2019, at 12:09, Torsten Lodderstedt
> wrote:
> >
> > Hi Neil,
> >
> >> On 25. Nov 2019, at 12:38, Neil Madden
> wrote:
> >>
> > Do you think we
A few comments and changes that I think should be made or would read more
clearly.
3.1 Paragraph #2
Should probably read either of the following
Clients SHOULD avoid forwarding the user's browser to a URI obtained
from a query parameter since such a function could be utilized to
exfiltrate
Hi,
This is my first time reviewing a document or responding to the group. So,
with that introduction feel free to guide me along the way.
Reading through the document, I had a few high-level questions first. I
will have more detailed comments later, once I know I'm on the right track
and I
13 matches
Mail list logo
