Last Call Review of draft-ietf-oauth-iss-auth-resp-02
review-ietf-oauth-iss-auth-resp-02-artart-lc-reschke-2021-11-01-00
| Request | Review of | draft-ietf-oauth-iss-auth-resp |
|---|---|---|
| Requested revision | No specific revision (document currently at 05) | |
| Type | Last Call Review | |
| Team | ART Area Review Team (artart) | |
| Deadline | 2021-11-17 | |
| Requested | 2021-10-27 | |
| Authors | Karsten Meyer zu Selhausen , Daniel Fett | |
| I-D last updated | 2021-11-01 | |
| Completed reviews |
Artart Last Call review of -02
by Julian Reschke
(diff)
Secdir Last Call review of -02 by Yoav Nir (diff) |
|
| Assignment | Reviewer | Julian Reschke |
| State | Partially completed | |
| Request | Last Call review on draft-ietf-oauth-iss-auth-resp by ART Area Review Team Assigned | |
| Posted at | https://mailarchive.ietf.org/arch/msg/art/XfLbtK1eLb7s0Z6e_AqGgkoWny0 | |
| Reviewed revision | 02 (document currently at 05) | |
| Result | Almost ready | |
| Completed | 2021-11-01 |
review-ietf-oauth-iss-auth-resp-02-artart-lc-reschke-2021-11-01-00
(I have reviewed this with zero knowledge of OAuth, so additional review probably would be good) Major issues: 2.4 "Clients MUST compare the extracted and URL-decoded value to the issuer identifier of the authorization server where the authorization request was sent to." I'm not sure that "URL-decoded" is correct with respect to decoding query parameters. Consider URLs containing "+" or "=". You probably need the encoding rules for application/x-www-form-urlencoded instead. Minor issues: References to registries should not be listed as normative. Nits: Section links to external documents do not appear to be marked up as such (and use a trailing dot in the section number which they should not) There are no Acks; so section 6 should be deleted (if there were acksm they should go into an unnumbered section at the end of the document)