Dear Warren,
It is always nice to read your elaborately written views. It helps in
getting perspective.
I have a slightly different take on the subject. What is the client
application going to do with the "acr_values"? Ultimately, it is going to
send these values to the authorization server in
Hi,
we would like to request the inclusion of _in-browser communication
security considerations_ in the OAuth security topics.
We found that in-browser communications like the postMessage API is
widely used by Clients and Authorization Servers as an alternative to
the standardized HTTP
I'm glad that we can move on from item No 1. Regarding this second one, the
AS is not required to be involved in this communication, as the RS already
has the capability to convey to the user agent why the access token is
denied. It just hasn't been standardized. There are lot's of reasons why an
Dear Warren, Brian and Vittorio,
My concerns regarding the additional complexity are well addressed by
Warren. I am reproducing the same for sake of records in the email archive.
> I'd love to see a situation where it is a better at the gateway level. The
> problem is that, even if you could, you
Hi Pieter / Daniel / Filip
It’s great to see this document moving forward.
I may have missed it, but it may be worth being move explicit that one solution
is to avoid using cross-device flows for same-device scenarios? It’s sort of
obvious, but questions like “well CIBA works for both
