[Openid-specs-fapi] Issue #386: Grant Management: public vs private clients (openid/fapi)

Brian Campbell issues-reply at bitbucket.org
Thu Feb 25 17:03:34 UTC 2021

New issue 386: Grant Management: public vs private clients

Brian Campbell:

1. The [incremental authz draft](https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz), hailing from the IETF OAUTH WG, is different from grant management but also similar in many respects. For security reasons, the former has some significantly distinct functionality based on whether the client can authenticate or not. William Denniss \(the man with two first names\) is a pretty smart dude so I trust there’s good reason for it. Meanwhile there’s no such distinction in grant management. I’ve admittedly not thought it all though but I suspect that grant management needs some more work in this respect. Like maybe different behavior or recommendations for public clients, of disallowing parts of it’s use by public clients. Or, if not, some security considerations/analysis saying why it’s okay. 


More information about the Openid-specs-fapi mailing list