Apologies, I meant to send this to the list. SMH.... Deb
---------- Forwarded message --------- From: Deb Cooley <[email protected]> Date: Wed, Mar 11, 2026 at 11:28 AM Subject: AD comments on draft-ietf-oauth-rfc7523bis To: <[email protected]> Cc: Web Authorization Protocol Working Group <[email protected]> Hi, Below is a complete set of my comments on this draft (I've pestered the authors about a couple of early comments raised by idnits already). idnits v3 (experimental) raised three issues, one of them is legit, one is borderline, and the last is clearly in error: - idnits points out that it is preferred if BCP 14 is referenced. If you need me to find you an example of how to do this, I can. - RFCs to be updated are not in the Abstract. - the third entry here is clearly in error. Mea Culpa. (about open.org in the references) Section 1: (improve clarity) The token identifies the recipient? via an audience value(s)? If that is correct, then maybe the second sentence could be something like 'These tokens, which identify the recipient, contain an audience value(s). s/aud/'aud' (or something to make it obvious that this is a field name). Section 3, replacing text: I'm not sure the parenthetical for Section 2.2 (The authors re not actually aware....)adds much. I would remove it. Section 4 a. and b.: Just to be sure I understand... for an authorization grant the audience can be the token endpoint URL (and nothing else), but for client authentication, the 'aud' claim value must not be the token endpoint URL (it has to be the issuer identifier). Assuming that audience = aud (audience) claim value. [I have no judgement on this, just being sure this is what you intended to say.] Section 7.1.1, contact information: I believe we can use oauth for this contact (vice a person). This is the authors' preference. The publication window opens on Monday, hopefully it is fine to wait until then. Once these are addressed, I will put the draft into IETF Last Call (3 weeks because of IETF 125). Thanks for your patience, Deb
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
