Agreed with 4. Since the security BCP is deprecating the implicit flow, it
seems like it's not worth the effort to try to come up with a solution for
this when the security implications of doing this aren't clear yet either.
Aaron Parecki
aaronparecki.com
On Tue, Nov 20, 2018 at 11:36 AM
I opt for (4) - Remove support/description of binding of access tokens issued
from the authorization endpoint
I think the potential solution we worked out (slide 6) is to complex and the
security implications of the redirect via the resource servers are still
unclear.
> Am 18.11.2018 um
During the first OAuth session in Bangkok the question "what to do about
token binding & implicit?" was raised. There was some discussion but
session time was limited and we had to move on before any real consensus
was reached.
So I thought I'd bring the question to the WG list to generate some
