Grant Management: public vs private clients
The incremental authz draft, hailing from the IETF OAUTH WG, is different from grant management but also similar in many respects. For security reasons, the former has some significantly distinct functionality based on whether the client can authenticate or not. William Denniss (the man with two first names) is a pretty smart dude so I trust there’s good reason for it. Meanwhile there’s no such distinction in grant management. I’ve admittedly not thought it all though but I suspect that grant management needs some more work in this respect. Like maybe different behavior or recommendations for public clients, of disallowing parts of it’s use by public clients. Or, if not, some security considerations/analysis saying why it’s okay.
Comments (8)
-
-
reporter - edited description
-
Thanks Brian. While there is nothing that prevents us from including support for both type of clients in the specification, we acknowledge, that inclusion of public clients needs some work.
Given that there is no immediate use cases for it, we decided to exclude public client support from the first implementers draft.
-
- changed status to open
-
-
assigned issue to
-
assigned issue to
-
-
- changed status to resolved
PR is being reviewed and merged
-
Adding further footnote here following some other comments about this: https://bitbucket.org/openid/fapi/pull-requests/273/add-draft-note-about-public-clients
- Log in to comment
I feel like incremental auth is targeted at gradual upgrading of authorisation (bottom up) where as grant management is about a clear view of all permissions (top down).
Should public clients be in-scope at all?