Hi Antonio,
Thanks for the feedback.
I agree that for non confidential clients, the user needs to be prompted. It
might be fair to just confirm the grants rather than resetting them from
defaults.
I know some people are doing that, but I suspect that not everyone is.
Good stuff.
People
hi,
nice to see some work on this topic by the way!
Couple of comments below inline
On Jul 24, 2015, at 7:51 AM, John Bradley
ve7...@ve7jtb.commailto:ve7...@ve7jtb.com wrote:
Thanks for the review Erik,
We will go through it in detail and get back to you.
I am working with a couple of
Prompting is not necessarily is a good thing.
It is very context specific, so please do not make it required.
Nat
2015-07-24 16:38 GMT+09:00 John Bradley ve7...@ve7jtb.com:
Hi Antonio,
Thanks for the feedback.
I agree that for non confidential clients, the user needs to be prompted.
It
PCKE prevents a bad app from using the code when there's a collision in the
custom scheme used for the redirect URI. However the same app could
immediately issue a new authorization request with it's own PCKE parameters
and (mostly) transparently get back a code that it can use. Having some
user
hi,
let me give you an example of what is my concern.
I admit this example is a bit extreme but still
As said one popular redirect_uri used by mobile app is http://localhost.
Let’s also say a resource owner use this mobile app the first time and approve
the consent screen and so forth….
It
Right, SHOULD NOT is fine. I am just asking not to make it a MUST NOT.
2015-07-24 17:47 GMT+09:00 Brian Campbell bcampb...@pingidentity.com:
PCKE prevents a bad app from using the code when there's a collision in
the custom scheme used for the redirect URI. However the same app could
Antonio, are you arguing for short token lifetimes and so frequent
explicit consent ? or something more
if the app has a valid refresh token then there is no opportunity for
the AS to inject a consent screen
paul
On 7/24/15 3:00 AM, Antonio Sanso wrote:
hi,
nice to see some work on this
Hi,
Thanks for a great document! I volunteered to review
draft-wdenniss-oauth-native-apps-00 at the #IETF93 meeting so here we go:
In national mobile eID deployments an app is issued by gov or other
organisation in a country. The app acts as the users authentication method
and it works with an
Thanks for the review Erik,
We will go through it in detail and get back to you.
I am working with a couple of governments on how a eID app could use the self
issued profile of OpenID Connect to issue tokens.
There are also other out of band authentication apps that people use that need
to