- changed status to duplicate
BK Comments 5
Issue #88
duplicate
Section 5.2.1
It is possible for the Request Object to include values that are to
be revealed only to the Authorization Server. As such, the
"request_uri" MUST have appropriate entropy for its lifetime. For
the guidance, refer to 5.1.4.2.2 of [RFC6819]. It is RECOMMENDED
that it be removed after a reasonable timeout unless access control
measures are taken.
It sounds like a link to https://www.w3.org/TR/capability-urls/ might
also be useful.
Section 5.2.2
Do we want to remind the reader that the other query parameters are just
for backwards compatibility?
Section 5.2.3
The following is an example of this fetch process:
GET /request.jwt HTTP/1.1
Host: tfp.example.org
It's useful to show good hygeine in examples; can we get the extra
entropy in this request that we have in the previous example(s)?
Comments (1)
-
reporter - Log in to comment
Duplicate of
#103.