Last Call Review of draft-ietf-oauth-rar-14
review-ietf-oauth-rar-14-artart-lc-fossati-2022-11-04-00
Request | Review of | draft-ietf-oauth-rar |
---|---|---|
Requested revision | No specific revision (document currently at 23) | |
Type | Last Call Review | |
Team | ART Area Review Team (artart) | |
Deadline | 2022-11-17 | |
Requested | 2022-10-27 | |
Authors | Torsten Lodderstedt , Justin Richer , Brian Campbell | |
I-D last updated | 2022-11-04 | |
Completed reviews |
Genart Last Call review of -15
by Robert Sparks
(diff)
Secdir Last Call review of -15 by Carl Wallace (diff) Artart Last Call review of -14 by Thomas Fossati (diff) Opsdir Last Call review of -23 by Qin Wu |
|
Assignment | Reviewer | Thomas Fossati |
State | Completed | |
Request | Last Call review on draft-ietf-oauth-rar by ART Area Review Team Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/art/EckO_3zF-gnI83Q_HmO5xREursI | |
Reviewed revision | 14 (document currently at 23) | |
Result | Ready | |
Completed | 2022-11-04 |
review-ietf-oauth-rar-14-artart-lc-fossati-2022-11-04-00
This document defines an OAuth parameter ("authorization_details") to carry fine-grained authorization data in OAuth messages. This allows APIs to customise their authorization requests and has applicability in a number of scenarios, e.g.: banking, e-health, accessing tax data, etc. The document also defines a base vocabulary for expressing common semantics, which grants consistency in an otherwise completely open space. It is a very well written document and was a pleasure to read. It has a clearly defined goal and well designed mechanisms. The examples (both JSON and HTTP) are many, very well crafted, and syntactically impeccable -- apart from a couple of stray ellipses in the JSON examples of §10, and the snippet in Figure 16, which were the only alerts I got from my linter. The IANA requests are in good shape (with only a tiny typo issue, see below.) Here a couple of very minor reference suggestions: * §2, when JSON is first mentioned, you could add a pointer to RFC7493 * §2.1, when ASCII is mentioned, you could add a pointer to RFC0020 Please fix these: * §2.2: "[...] the permissions the client requests is" should be "[...] the permissions the client requests are" * §3: "[...] to improve to security" should be "[...] to improve the security" * §15.6: "[...] authorization_details_parameterto" should be "[...] authorization_details parameters to" (I think) Other than that, ship it!