I added three sections I feel are important:
1.) Credential Stuffing/Abuse callout in security considerations. Browser-based front ends have lots of security checks inherently built in to an IdP's flow. If we move the authNZ to be backend API based then it's important to call out to implementors that they should treat that API with the same security concerns as whatever API recieves request when a login form is submitted.
2.) New Grant Type needed.
3.) DCR Registration consideration
and 4.) corrected minor typo
Happy to discuss. I have other updates I'll add and submit PRs/issues for later.
I added three sections I feel are important: 1.) Credential Stuffing/Abuse callout in security considerations. Browser-based front ends have lots of security checks inherently built in to an IdP's flow. If we move the authNZ to be backend API based then it's important to call out to implementors that they should treat that API with the same security concerns as whatever API recieves request when a login form is submitted. 2.) New Grant Type needed. 3.) DCR Registration consideration and 4.) corrected minor typo
Happy to discuss. I have other updates I'll add and submit PRs/issues for later.