Gabriel Corona
Gabriel Corona
Note that my examples might probably be integrated into existing verifications.
> do you think there is need to formulate some separate requirements [...] If RAR is considered in scope, it might be useful I guess. Maybe this might included (or...
> OIDC has become industry standard for login, SSO and federation. Nitpick, introduce the abbreviation on first usage? "OpenID Connect (OIDC) has become industry standard for login, web single sign-on...
Currently the OpenID Connect verifications use the OAuth terminology (client, authorization server). If they are moved in a dedicated chapter, should this be changed to use the OIDC terminology (relying...
*sanitizing* SpEL looks like a very bad idea doomed to failure :smile: I am not sure SpeL injection should be mentioned here but more alongside shell command injection, JavaScript/PHP/Python `eval()`,...
> It is clear that confused deputy/mix-up vulnerabilities are inherent today, wherein MCP clients will present access tokens obtained from any OAuth authorization server chosen by the MCP server -...
ping @danielcuthbert
I think I feel the first two sentences are somewhat weird in this context (probably subjective): * It starts with statement about V6 ("V6 goes beyond simply defining best practices")....
General comment about wording. List of some wording which we might need dscussion and should be checked for consistency throughout the document: * allow list / back list : liste...
I'll try to make a quick review (for the modifications) in the following days.