William Denniss
2017-06-02 01:41:28 UTC
Thanks Alexey and Brian.
In my staged
<https://github.com/WilliamDenniss/draft-ietf-oauth-native-apps/pull/9/files>
copy, I've added a reference to RFC7230, which according to IANA
<https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml> holds the
definition of the https scheme. Will be included in the next update.
I also verified that our Section 2 includes "NOT RECOMMENDED" per the
errata.
In my staged
<https://github.com/WilliamDenniss/draft-ietf-oauth-native-apps/pull/9/files>
copy, I've added a reference to RFC7230, which according to IANA
<https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml> holds the
definition of the https scheme. Will be included in the next update.
I also verified that our Section 2 includes "NOT RECOMMENDED" per the
errata.
As far as I can tell, 'NOT RECOMMENDED' is fine per RFC 2119.
from https://www.ietf.org/rfc/rfc2119.txt
4. SHOULD NOT This phrase, *or the phrase "NOT RECOMMENDED"* mean that
there may exist valid reasons in particular circumstances when the
particular behavior is acceptable or even useful, but the full
implications should be understood and the case carefully weighed
before implementing any behavior described with this label.
And also this errata notes that NOT RECOMMENDED should be in the first part of the abstract https://www.rfc-editor.org/errata_search.php?rfc=2119&eid=499
Never mind then!
Alexey Melnikov has entered the following ballot position for
draft-ietf-oauth-native-apps-11: No Objection
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.
https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/
----------------------------------------------------------------------
----------------------------------------------------------------------
8.2. OAuth Implicit Grant Authorization Flow
The OAuth 2.0 implicit grant authorization flow as defined in
Section 4.2 of OAuth 2.0 [RFC6749] generally works with the practice
of performing the authorization request in the browser, and
receiving
the authorization response via URI-based inter-app communication.
However, as the Implicit Flow cannot be protected by PKCE (which is
a
required in Section 8.1), the use of the Implicit Flow with native
apps is NOT RECOMMENDED.
NOT RECOMMENDED is not actually a construct allowed by RFC 2119, I think
you should reword it using "SHOULD NOT".
It would be good to add RFC reference for HTTPS URIs.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
from https://www.ietf.org/rfc/rfc2119.txt
4. SHOULD NOT This phrase, *or the phrase "NOT RECOMMENDED"* mean that
there may exist valid reasons in particular circumstances when the
particular behavior is acceptable or even useful, but the full
implications should be understood and the case carefully weighed
before implementing any behavior described with this label.
And also this errata notes that NOT RECOMMENDED should be in the first part of the abstract https://www.rfc-editor.org/errata_search.php?rfc=2119&eid=499
Never mind then!
Alexey Melnikov has entered the following ballot position for
draft-ietf-oauth-native-apps-11: No Objection
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.
https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/
----------------------------------------------------------------------
----------------------------------------------------------------------
8.2. OAuth Implicit Grant Authorization Flow
The OAuth 2.0 implicit grant authorization flow as defined in
Section 4.2 of OAuth 2.0 [RFC6749] generally works with the practice
of performing the authorization request in the browser, and
receiving
the authorization response via URI-based inter-app communication.
However, as the Implicit Flow cannot be protected by PKCE (which is
a
required in Section 8.1), the use of the Implicit Flow with native
apps is NOT RECOMMENDED.
NOT RECOMMENDED is not actually a construct allowed by RFC 2119, I think
you should reword it using "SHOULD NOT".
It would be good to add RFC reference for HTTPS URIs.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth