oauth-wg oauth-v2-1 issues

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs

https://oauth.net/2.1/

Other

52 stars 27 forks source link

issues

Newest

Newest Most commented Recently updated Oldest Least commented Least recently updated

conslidate description of serialization

#190 aaronpk closed 6 days ago
2
7.X Stateless tokens and key rotation

#189 sakimura opened 1 month ago
0
7.12 Phishing Attacks: Clarification and additional advice to the reader

#188 sakimura opened 1 month ago
0
Expand on reasons for not including expires_in in the token response

#187 pilcrowonpaper opened 2 months ago
1
weird referece, but okay

#186 bc-pi closed 6 days ago
0
fix: typos

#185 grjan7 closed 1 week ago
0
Section 4.1.2.1 Error Response is unclear on how to handle an Invalid Authorization Endpoint request

#184 dfcoffin opened 3 months ago
0
Clarify `aud` values that should be accepted in `private_key_jwt` at the token (and other) endpoints

#183 jogu opened 4 months ago
2
add self to acknowledgements

#182 panva closed 5 months ago
0
Authorization Endpoint HTTP `POST` binding

#181 panva closed 6 days ago
1
Consider add field expires_at in token response

#180 jht5945 closed 6 months ago
2
Reasons for recommending loopback redirects over private-use URI scheme

#179 archer-321 opened 6 months ago
2
Replace "resource" with "resource server". See #177

#178 mrcaidev closed 5 months ago
0
Typo: resource server instead of resource

#177 mrcaidev closed 5 months ago
0
Allow public clients to use the `client_credentials` grant type

#176 bellebaum closed 6 days ago
21
Remove duplicate "are"

#175 MozharAlhosni closed 6 months ago
0
Strict JavaScript Exclusiveness?

#174 MozharAlhosni opened 7 months ago
0
Minor fix

#173 MozharAlhosni closed 6 months ago
0
clarify expires_in is a JSON number

#172 panva closed 6 months ago
2
Handling of colliding URI query parameter names

#171 SECtim opened 8 months ago
2
Ambigious text around whether `code_challenge` is required

#170 SECtim opened 8 months ago
2
Terminology: "relying party" vs. "client"

#169 SECtim opened 8 months ago
3
"Suprising" printing service example in introduction

#168 SECtim opened 8 months ago
0
Character encoding for the application/x-www-form-urlencoded format

#167 adeinega opened 10 months ago
1
case sensitivity of Bearer http authentication scheme

#166 jogu closed 6 months ago
4
native clients

#165 adeinega closed 10 months ago
1
Use of 'permissions' term in refresh token section

#164 jogu closed 10 months ago
1
Scope in relation to OIDC

#163 arukiidou closed 6 months ago
1
the invalid_client error and HTTP authentication schemas

#162 adeinega opened 1 year ago
1
Problems with authorization servers that don't support public clients

#161 hickford opened 1 year ago
3
Strengthen "Authorization server SHOULD NOT process repeated authorization requests automatically" for public clients

#160 hickford opened 1 year ago
1
Define "scope" higher up in the doc

#159 aaronpk closed 1 year ago
0
GPG based authentication

#158 ghost closed 1 year ago
1
OAuth 2.1 + OIDC: The implicit flow grant type is indeed mandatory to support the Hybrid flow.

#157 vanbukin closed 1 year ago
1
Ask for review from HTTP WG

#156 aaronpk opened 1 year ago
0
Move attack introduction to end of the Open Redirector section

#155 DevDengChao closed 1 year ago
0
Fix clickjacking http message example format

#154 DevDengChao closed 1 year ago
0
Bad http message example format in 7.11. Clickjacking section

#153 DevDengChao closed 1 year ago
0
clarify last paragraph of 8.4.1

#152 dickhardt closed 1 day ago
1
point implementers to OIDC in intro

#151 dickhardt opened 1 year ago
0
Incorporated mix-up attack mitigations from security BCP

#150 kmzs closed 10 months ago
3
Update DPoP references to RFC 9449

#149 aaronpk closed 10 months ago
1
Prohibition of using OAuth for user authentication

#146 ritou closed 1 day ago
1
Fix broken link on Section 4.3.Refresh Token Grant

#145 kg0r0 closed 1 year ago
1
There is a broken link in draft 08.

#144 kg0r0 closed 1 year ago
0
extension grants can allow unidentified clients

#143 bc-pi closed 6 days ago
1
Native apps differences between mobile and desktop apps

#142 aaronpk opened 1 year ago
1
Claimed https scheme as app identity proof

#141 aaronpk opened 1 year ago
1
Repeated authorization requests

#140 aaronpk opened 1 year ago
2
Define "explicit RO authentication"

#139 aaronpk opened 1 year ago
0