oauth-v2-1
oauth-v2-1 copied to clipboard
oauth-wg
OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
The printing service example in the introduction (just after the list of disadvantages of the client-server authentication model) comes somewhat as a surprise. https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L236-L242 I guess this could easily be...
from Vittorio: --- > The authorization server MUST compare the two URIs using simple > string comparison as defined in [RFC3986], Section 6.2.1. RFC3986 6.2.1 talks about character by character...
There are still some references to old URI specs like RFC3986, which have since been replaced by various IETF specs as well as the WHATWG URL spec.
Document each change and when there is a breaking change note for which role it breaks. e.g. A 2.1 client trying to work with a 2.0 server that uses PKCE...
from Vittorio: > On the identical scopes requirement. Say that after obtaining RT1, which includes scopes s1 and s2 for client c1, the RO revokes authorization for c1 to use...
from Vittorio: https://tools.ietf.org/html/draft-ietf-oauth-v2-1-00#section-6 > We might need to be more precise here. Do we mean the scopes consented by the RO in the request that led to the issuance of...
If the app can claim and own a URI on a platform, it MUST use that mechanism
Section 5.1 From Vittorio: > On the refresh_token parameter. The lack of details in how OAuth2 describes how/when an AS returns refresh tokens led to today’s complicated situation in which...
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09#name-client-impersonation > The authorization server SHOULD NOT process repeated authorization requests automatically (without active resource owner interaction) without authenticating the client or relying on other measures to ensure that the...
