[Openid-specs-ab] OAuth Comments

Nat Sakimura sakimura at gmail.com
Mon Feb 6 04:09:40 UTC 2012

I am now thinking that perhaps I may want to compile a comment to
ietf at ietf.org re: OAuth 2.0.

I found one normative change disturbing: re: randomness requirement
that I already have posted to the OAuth list.
It is a normative MUST clause yet so vague... Also, it does not take
into account of other risk control measures
which may limit OAuth's usefulness in some scenario.

There are editorial fixes needed as well. I was hoping that someone
will fix it but it did not get to.
It uses both "Implicit Flow" and "Implicit Grant Flow".  It should
standardize on one.

Anything else?


Nat Sakimura (=nat)
Chairman, OpenID Foundation

More information about the Openid-specs-ab mailing list