oauth-v2-1
oauth-v2-1 copied to clipboard
oauth-wg
OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
2.1 added a lot of text around how clients form authorization requests, the language does not however account for the optional POST binding at the authorization endpoint. > The authorization...
The current OAuth 2.1 draft mentions that > Many environments that support private-use URI schemes do not provide a mechanism to claim a scheme and prevent other parties from using...
There has been a case where the signing key for the stateless JWT based access token was stolen and used by attacker to mint new access tokens. Since the token...
Paragraph 1: it is not only the resource owners' password that can be phished. OTP etc. can be phished as well. Proposes to change: "steal resource owners' passwords" to "steal...
Hi, Is there a reason why the `expires_in` field exists but an equivalent for refresh token doesn't? Something like `refresh_token_expires_in`. I couldn't find any discussion on it in past mailing...
Add definitions for client_secret_basic, client_secret_post and none client authentication methods
Whilst the revised text in OAuth 2.1 does clear up a lot of my concerns from the OAuth mailing list, it still doesn't explicitly define the methods by name from...
https://drafts.oauth.net/oauth-v2-1/draft-ietf-oauth-v2-1.html#section-7.11 says: > A code injection attack occurs when an input or otherwise external variable is used by an application unsanitized and causes modification to the application logic. This may...
Removes the dupe (9447) and sorts the #extensions by their RFC number closes #193
Adds the change from dcd8716 to https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-12.html#name-differences-from-oauth-20
