[Openid-specs-heart] Comments on Draft HEART Profile for OAuth 2.0

[Luis C. Maas III, M.D., Ph.D.]

Hi All, a few comments on the current draft of the HEART Profile for
OAuth 2.0: 

- Section 2.1.3.1: there is a reference to Section 2.1.4 for keys;
should this reference 2.1.5 instead? 

- Section 2.1.3.2: The section states that native apps may use a common
client_id + PKCE. Lock-out mechanisms (temporary or permanent) at an AS
triggered by repeated failed client authentication attempts may be based
on client_id. It seems like the use of a common client_id opens up the
possibility of one compromised or misconfigured native app instance
locking out all instances of that app at a particular AS. I agree that
adding PKCE support is a good idea, but I think per instance client_id
should be required whether or not PKCE is used, and that the option to
use a common client_id be removed. 

- Section 2.1.4: The section states that native apps MUST receive a
unique per instance client_id. This conflicts with the choice to use a
common client_id + PKCE currently permitted in 2.1.3.2. 

- Section 4.2: Typo "acceept"

Luis 

Luis C. Maas III, M.D., Ph.D.

CTO
EMR Direct
www.emrdirect.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20170410/b071adb0/attachment.html>