issues
search
oauth-wg
/
oauth-v2-1
OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
https://oauth.net/2.1/
Other
51
stars
27
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
7.X Stateless tokens and key rotation
#189
sakimura
opened
1 week ago
0
7.12 Phishing Attacks: Clarification and additional advice to the reader
#188
sakimura
opened
1 week ago
0
Standardize refresh token expiration field in token responses
#187
pilcrowOnPaper
opened
3 weeks ago
1
weird referece, but okay
#186
bc-pi
opened
1 month ago
0
fix: typos
#185
grjan7
opened
2 months ago
0
Section 4.1.2.1 Error Response is unclear on how to handle an Invalid Authorization Endpoint request
#184
dfcoffin
opened
2 months ago
0
Clarify `aud` values that should be accepted in `private_key_jwt` at the token (and other) endpoints
#183
jogu
opened
2 months ago
1
add self to acknowledgements
#182
panva
closed
3 months ago
0
Authorization Endpoint HTTP `POST` binding
#181
panva
opened
4 months ago
0
Consider add field expires_at in token response
#180
jht5945
closed
4 months ago
2
Reasons for recommending loopback redirects over private-use URI scheme
#179
archer-321
opened
4 months ago
2
Replace "resource" with "resource server". See #177
#178
mrcaidev
closed
4 months ago
0
Typo: resource server instead of resource
#177
mrcaidev
closed
3 months ago
0
Allow public clients to use the `client_credentials` grant type
#176
bellebaum
opened
4 months ago
20
Remove duplicate "are"
#175
MozharAlhosni
closed
5 months ago
0
Strict JavaScript Exclusiveness?
#174
MozharAlhosni
opened
5 months ago
0
Minor fix
#173
MozharAlhosni
closed
5 months ago
0
clarify expires_in is a JSON number
#172
panva
closed
5 months ago
2
Handling of colliding URI query parameter names
#171
SECtim
opened
7 months ago
1
Ambigious text around whether `code_challenge` is required
#170
SECtim
opened
7 months ago
2
Terminology: "relying party" vs. "client"
#169
SECtim
opened
7 months ago
0
"Suprising" printing service example in introduction
#168
SECtim
opened
7 months ago
0
Character encoding for the application/x-www-form-urlencoded format
#167
adeinega
opened
8 months ago
0
case sensitivity of Bearer http authentication scheme
#166
jogu
closed
4 months ago
4
native clients
#165
adeinega
closed
9 months ago
1
Use of 'permissions' term in refresh token section
#164
jogu
closed
9 months ago
1
Scope in relation to OIDC
#163
arukiidou
closed
4 months ago
1
the invalid_client error and HTTP authentication schemas
#162
adeinega
opened
1 year ago
1
Problems with authorization servers that don't support public clients
#161
hickford
opened
1 year ago
2
Strengthen "Authorization server SHOULD NOT process repeated authorization requests automatically" for public clients
#160
hickford
opened
1 year ago
1
Define "scope" higher up in the doc
#159
aaronpk
closed
1 year ago
0
GPG based authentication
#158
ghost
closed
1 year ago
1
OAuth 2.1 + OIDC: The implicit flow grant type is indeed mandatory to support the Hybrid flow.
#157
vanbukin
closed
1 year ago
1
Ask for review from HTTP WG
#156
aaronpk
opened
1 year ago
0
Move attack introduction to end of the Open Redirector section
#155
DevDengChao
closed
1 year ago
0
Fix clickjacking http message example format
#154
DevDengChao
closed
1 year ago
0
Bad http message example format in 7.11. Clickjacking section
#153
DevDengChao
closed
1 year ago
0
clarify last paragraph of 8.4.1
#152
dickhardt
opened
1 year ago
0
point implementers to OIDC in intro
#151
dickhardt
opened
1 year ago
0
Incorporated mix-up attack mitigations from security BCP
#150
kmzs
closed
9 months ago
3
Update DPoP references to RFC 9449
#149
aaronpk
closed
9 months ago
1
Prohibition of using OAuth for user authentication
#146
ritou
opened
1 year ago
0
Fix broken link on Section 4.3.Refresh Token Grant
#145
kg0r0
closed
1 year ago
1
There is a broken link in draft 08.
#144
kg0r0
closed
1 year ago
0
extension grants can allow unidentified clients
#143
bc-pi
opened
1 year ago
1
Native apps differences between mobile and desktop apps
#142
aaronpk
opened
1 year ago
1
Claimed https scheme as app identity proof
#141
aaronpk
opened
1 year ago
1
Repeated authorization requests
#140
aaronpk
opened
1 year ago
2
Define "explicit RO authentication"
#139
aaronpk
opened
1 year ago
0
All query parameters should be URL encoded in these two examples
#138
adeinega
closed
1 year ago
0
Next