[Openid-specs-risc] OAuth2 dependencies action item
Phillip Hunt
phil.hunt at independentid.com
Tue Aug 29 16:29:44 UTC 2023
After last weeks call, I scanned through the document and I don’t find any OAuth2 dependencies any more. It turns out that a lot of common implementations of RFC8935/8936 assume tokens will be used to identify streams.
I added an issue (https://github.com/openid/sharedsignals/issues/104) which suggests we should add some claifications for event transmission 8935/8936. A lot of implementations I have seen (including my own) use common endpoints and tokens to identify streams. It has been bugging me as to how things like token rotation will be handled. How to handle diagnostics if the token is opaque to the client. When streams are identified by token, it is harder to distinguish: Do I have the right stream, is the client authorized for the stream, is the authorization valid or expired.
Phillip Hunt
phil.hunt at independentid.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20230829/400de2c0/attachment-0001.html>
More information about the Openid-specs-risc
mailing list