Aaron Parecki

Related: #26

@YataoFeng All the responses are JSON. Changing the request format to JSON is out of scope of OAuth 2.1, and also would serve no practical purpose.

@ioggstream Can you confirm that the current list of threats in the doc are still included in the latest set of NIST documents? What I'm looking for is whether the...

Seems reasonable to me. We added it to the agenda for IETF 116.

Pending the outcome of the discussions in #28

Technically I'm not sure case sensitive matching of the host name is actually required if you were to follow RFC3986, since host names are case insensitive. We should probably clarify...

@tlodderstedt I believe the Security BCP has some updated language to use here, could you pull from that and make a PR?

There's already an exception for the random port, so we'll need to carve that out in this top section too.

and from Justin: > §1.2: This diagram could use an update to not show the client talking directly to the RO in the first step, especially because the ROPC grant...

Also related to #29 "Clarify 'authorization grant'"