oauth-v2-1
oauth-v2-1 copied to clipboard
oauth-wg
OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
2.1 added a lot of text around how clients form authorization requests, the language does not however account for the optional POST binding at the authorization endpoint. > The authorization...
The current OAuth 2.1 draft mentions that > Many environments that support private-use URI schemes do not provide a mechanism to claim a scheme and prevent other parties from using...
There has been a case where the signing key for the stateless JWT based access token was stolen and used by attacker to mint new access tokens. Since the token...
Paragraph 1: it is not only the resource owners' password that can be phished. OTP etc. can be phished as well. Proposes to change: "steal resource owners' passwords" to "steal...
Hi, Is there a reason why the `expires_in` field exists but an equivalent for refresh token doesn't? Something like `refresh_token_expires_in`. I couldn't find any discussion on it in past mailing...
