Torsten Lodderstedt

@JaceHensley Have you seen my last comment?

I would say, the current practice is ok as long as there are alternative counter measures in place, e.g. if the AS is sure the code is only released to...

RFC 3986 6.2.1. talks about "bit-for-bit" or "byte-for-byte" comparison, which means case sensitive matching. Is that what you want to state?

I'm understanding the attempt to come up with an abstract description of the flow, but I don't see a common denominator between client credential, code and refresh token. I suggest...

I'm in favor of retaining the RT but reduce its scope. The token response shall return the adjusted scope value. I don't see a value in revoking the RT in...

What part of the Security BCP are you referring to? I'm only aware of https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09#section-2.3, which refers to access tokens. In my opinion the meaning of the text in OAuth...