Last Call Review of draft-ietf-oauth-introspection-08
review-ietf-oauth-introspection-08-opsdir-lc-morand-2015-06-23-00
| Request | Review of | draft-ietf-oauth-introspection |
|---|---|---|
| Requested revision | No specific revision (document currently at 11) | |
| Type | Last Call Review | |
| Team | Ops Directorate (opsdir) | |
| Deadline | 2015-06-09 | |
| Requested | 2015-05-27 | |
| Authors | Justin Richer | |
| I-D last updated | 2015-06-23 | |
| Completed reviews |
Genart Last Call review of -08
by Wassim Haddad
(diff)
Secdir Last Call review of -08 by Stephen Kent (diff) Opsdir Last Call review of -08 by Lionel Morand (diff) |
|
| Assignment | Reviewer | Lionel Morand |
| State | Completed | |
| Request | Last Call review on draft-ietf-oauth-introspection by Ops Directorate Assigned | |
| Reviewed revision | 08 (document currently at 11) | |
| Result | Has issues | |
| Completed | 2015-06-23 |
review-ietf-oauth-introspection-08-opsdir-lc-morand-2015-06-23-00
I have reviewed this document as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. This document is well-written, clear and almost ready to be published. I have however some comments: 1/ I share the comment from Barry regarding "MUST support POST, and MAY support GET" in section 2.1. 2/ Sorry if it is obvious but there is no indication on how the protected resources discover the introspection endpoint to which send the request. It might be explained in some other documents but we could find this information in this document as well (or at least a reference). Minors comments: sect 2.1: The endpoint MAY allow other parameters to provide further context to the query. For instance, an authorization service may need to know the IP address of the client accessing the protected resource in order to determine the appropriateness of the token being presented. Which endpoint are you referring to at the beginning of the sentence? introspection endpoint, Authorization endpoint, token endpoint, other ? I guess it is the first one but please clarify. In the second sentence, I think it is "authorization server" instead of "authorization service" Regards, Lionel _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.