You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Another topic discussed in the IETF 121 OAuth meetings is the discovery of the token issuing service (Transaction Token Service) and whether different deployment models affect discovery or token issuance in any way.
Three possible deployment models (NOT exhaustive):
Embedded in an Authorization Server, or API GW
Single HA Transaction Token Service
Distributed (geographically) Transaction Token Service
How does a client of the Transaction Token Service endpoint know where to go? Is this out-of-scope for any specifications and the security concern of a client sending a transaction token request to an incorrect (unauthorized) endpoint should just be clearly called out in the security considerations.
The thinking from the OAuth meeting is that this topic should be discussed in WIMSE as well.
Another topic discussed in the IETF 121 OAuth meetings is the discovery of the token issuing service (Transaction Token Service) and whether different deployment models affect discovery or token issuance in any way.
Three possible deployment models (NOT exhaustive):
How does a client of the Transaction Token Service endpoint know where to go? Is this out-of-scope for any specifications and the security concern of a client sending a transaction token request to an incorrect (unauthorized) endpoint should just be clearly called out in the security considerations.
The thinking from the OAuth meeting is that this topic should be discussed in WIMSE as well.
OAuth Transaction Tokens github repository.
The text was updated successfully, but these errors were encountered: