oauth-v2-1
oauth-v2-1 copied to clipboard
oauth-wg
OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
Hi, I was looking through the current draft when I found this: ``` The client credentials grant type MUST only be used by confidential clients. ``` I was wondering where...
https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-09.html > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly Unfortunately many authorization servers *don't* record client type....
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09#section-3.2.3.1 says that > "**invalid_client**": Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code...
From the "[Impersonation of native apps](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-7.3.1)" security considerations section: > Measures such as claimed https scheme redirects MAY be accepted by authorization servers as identity proof. Some operating systems may...
Much of Vittorio's feedback in the native apps section stems from the differences in practice of mobile apps and desktop apps. Should these recommendations be scoped to mobile apps now...
Section 3.2.2 Tokens states that > The client makes a request to the token endpoint by sending the > following parameters using the application/x-www-form-urlencoded > format per Appendix B with...
The following text snippets seem like a `code_challenge` is always required in the authorization request (for authZ code flows). Description of the authZ code flow figure: https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1468-L1470 https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1485-L1487 https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1493-L1494 Section...
In some places, the term "relying party" is used instead of "client": https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L2820-L2822 https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L2578-L2582
The URIs for the **redirect** and **authorization** endpoints may contain additional query parameters that must be retained when adding more parameters: https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L860-L865 https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1118-L1121 Furthermore, query parameters must only appear once...
Under [Token Endpoint](https://github.com/oauth-wg/oauth-v2-1/blob/main/draft-ietf-oauth-v2-1.md#token-endpoint), it states: > Authorization servers that wish to support browser-based applications (applications running exclusively in client-side JavaScript without access to a supporting backend server) However, the sentence...
