[Openid-specs-ab] Transient Client Secret Extension for OAuth

Brian Campbell bcampbell at pingidentity.com
Mon Jul 29 06:41:21 UTC 2013


IMHO, invalid_grant is the proper error response code, not invalid_client.

Along the same lines, I'd like to see it named something more like "message
correlation id" rather than anything involving client secret.

This is a general OAuth problem and I believe the solution should be
general too. Thus, at least the base definition of the parameter(s) should
not require discovery or rely on any of the Connect documents.


On Sun, Jul 28, 2013 at 9:39 PM, Nat Sakimura <sakimura at gmail.com> wrote:

> As some of you knows, passing the code securely to a native app on iOS
> platform is next to impossible. Malicious application may register the same
> custom scheme as the victim application and hope to obtain the code, whose
> success rate is rather high.
>
> We have discussed about it during the OpenID Conenct Meeting at IETF 87
> today, and I have captured the discussion in the form of I-D. It is pretty
> short and hopefully easy to read.
>
> You can find it at:
>
> https://bitbucket.org/Nat/drafts/src/
>
> Comments are welcome.
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130729/89157182/attachment-0001.html>


More information about the Openid-specs-ab mailing list