Open Sakurann opened 2 months ago
in general, how the AS determines first partiness is at the core of this draft, but the information about that seems to be scattered across the document - section 9.1, 9.4, 9.8, 5. would be good to consolidate those better.
also, it is not very checkable/actionable to say "In order to preserve the security of this specification, the Authorization Server MUST verify the "first-partyness" of the client before continuing with the authentication flow." but then say "This specification is not prescriptive on how the Authorization Server establishes its trust in the first-partyness of the application"
I understand why you do not want to be prescriptive, but being a bit more precise and detailed on how AS can establish "first-partiness" sounds crucial to me
SHOULD
feels too weak in section 9.4 on client auth. AS has to be sure it is talking to the right client. that needs to be defined better: