[OAUTH-WG] Artart last call partial review of draft-ietf-oauth-iss-auth-resp-02

Julian Reschke via Datatracker <noreply@ietf.org> Mon, 01 November 2021 10:33 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3463D3A1258; Mon, 1 Nov 2021 03:33:11 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Julian Reschke via Datatracker <noreply@ietf.org>
To: art@ietf.org
Cc: draft-ietf-oauth-iss-auth-resp.all@ietf.org, last-call@ietf.org, oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.39.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <163576279118.23946.14747101192871915313@ietfa.amsl.com>
Reply-To: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 01 Nov 2021 03:33:11 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4gjjbGEUb-UeQxbDpiy27DTOxKc>
Subject: [OAUTH-WG] Artart last call partial review of draft-ietf-oauth-iss-auth-resp-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Nov 2021 10:33:12 -0000

Review is partially done. Another assignment may be needed to complete it.

Reviewer: Julian Reschke
Review result: Almost Ready

(I have reviewed this with zero knowledge of OAuth, so additional review
probably would be good)

Major issues:


"Clients MUST compare the extracted and URL-decoded value to the issuer
identifier of the authorization server where the authorization request was sent

I'm not sure that "URL-decoded" is correct with respect to decoding query
parameters. Consider URLs containing "+" or "=". You probably need the encoding
rules for application/x-www-form-urlencoded instead.

Minor issues:

References to registries should not be listed as normative.


Section links to external documents do not appear to be marked up as such (and
use a trailing dot in the section number which they should not)

There are no Acks; so section 6 should be deleted (if there were acksm they
should go into an unnumbered section at the end of the document)