Last Call Review of draft-ietf-oauth-device-flow-10

Request Review of draft-ietf-oauth-device-flow
Requested rev. no specific revision (document currently at 15)
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2018-06-12
Requested 2018-05-29
Draft last updated 2018-06-12
Completed reviews Secdir Last Call review of -10 by Christopher Wood (diff)
Genart Last Call review of -10 by Robert Sparks (diff)
Opsdir Last Call review of -10 by Qin Wu (diff)
Genart Telechat review of -11 by Robert Sparks (diff)
Assignment Reviewer Qin Wu
State Completed
Review review-ietf-oauth-device-flow-10-opsdir-lc-wu-2018-06-12
Reviewed rev. 10 (document currently at 15)
Review result Ready
Review completed: 2018-06-12


I have reviewed this document as part of the Operational directorate¡¯s ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.
Document reviewed:  draft-ietf-oauth-device-flow

This document defines device flow among browserless and input constrained devices, end user at browser and authorization server. This device flow allows OAuth clients to request user authorization from devices that have an Internet connection, but don't have an easy input method. This document is well written, especially security consideration section. I think it is ready for publication.

Major issue: None
Minor issue: Editorial
Section 3.3.1
The short name for NFV needs to be expanded, maybe add reference.
QR code also needs to be expanded.
Section 3.5:
Who is token endpoint, how token endpoint is related to authorization server? Would it be great to add some clarification text about this.
Section 4:
Would it be great to clarify the relationship between device_authorization_endpoint defined in this document and authorization_endpoint defined in draft-ietf-oauth-discovery-10 and explain why authorization_endpoint is not sufficient,e.g., draft-ietf-oauth-discovery-10 has already defined authorization server metadata value authorization_endpoint, however ¡­¡­