Re: [OAUTH-WG] draft-ietf-oauth-v2

Dick Hardt <> Tue, 17 July 2012 22:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1E21E21F851B for <>; Tue, 17 Jul 2012 15:08:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.552
X-Spam-Status: No, score=-3.552 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id X3d02RX5OYLS for <>; Tue, 17 Jul 2012 15:08:30 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7203F21F851A for <>; Tue, 17 Jul 2012 15:08:30 -0700 (PDT)
Received: by pbcwy7 with SMTP id wy7so1504203pbc.31 for <>; Tue, 17 Jul 2012 15:09:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=kXxA/ZFD5HR0O9g9TsQXV9vgD6kbHlgwZ+wxHTtWZ8s=; b=wZEfigxlfo10vb+DzfKAcv4n25lcxLhz/M4aWYvRREHhAq2yo1XxTtW+Lxb2/mxuf8 qnIpYW4agPN5ZHruNpwuOKCWBD5ApP+R8CKzW3iRD7OuOYDHFWBkSY+UaK7MrW4b9D5P AU0376OSDlkM6VIrrTQMDCWpBQMe3h3AqG9fc3P/O5iLiGDBPX8yqizLa6roNZEmVjhI 2mKxrahbs1Mz3kapeLyh7dB7RVzOASEghRzugNmThdLOJi65fhVSRDpl0QnHA+yWtIi5 WNsmHZAvrvKYgW10NYPMHbNHXVqtA7LjPp6F4rJ9ebRzNg1/r2Scwh+FYyQDXjhYBqQT nt6Q==
Received: by with SMTP id pm9mr2164735pbb.49.1342562959022; Tue, 17 Jul 2012 15:09:19 -0700 (PDT)
Received: from [] ( []) by with ESMTPS id ku7sm14793917pbc.31.2012. (version=TLSv1/SSLv3 cipher=OTHER); Tue, 17 Jul 2012 15:09:16 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="iso-8859-1"
From: Dick Hardt <>
In-Reply-To: <>
Date: Tue, 17 Jul 2012 15:09:14 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Michael Scalia <>
X-Mailer: Apple Mail (2.1278)
Cc: " WG" <>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Jul 2012 22:08:31 -0000

Thanks for the feedback Michael.

4.1.2 is where the authorization code is first talked about, and it makes sense to discuss how it is generated and used at that point. I can see how it might also be useful to put it in 4.1.3. Note that this is this is RECOMMENDED as opposed to MUST so it does not flow into "The authorization server MUST" list of points.

Personally, I don't see a need to change. Anyone else have an opinion on this?

-- Dick

On Jul 17, 2012, at 2:22 PM, Michael Scalia wrote:

> Dear OAuth Authors,
> I'm not sure if this is the right way to suggest an edit to the current OAuth draft.  Please let me know if I should use a different route.
> Section 4.1.2 Authorization Response includes the text, "If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.  The authorization code is bound to the client identifier and redirection URI."
> I believe this text is in the wrong place.  A client does not supply the authorization code to the authorization endpoint.  It supplies it to the token endpoint.  This should move to 4.1.3. Access Token Request, in the list of bulleted items under "The authorization server MUST".
> Thanks for all your work on this protocol.
> Regards,
> Michael Scalia