Draft 09
·
99 commits
to main
since this release
- AS MUST NOT support CORS requests at authorization endpoint
- more detail on asymmetric client authentication
- sync CSRF description from security BCP
- update and move sender-constrained access tokens section
- sync client impersonating resource owner with security BCP
- add reference to authorization request from redirect URI registration section
- sync refresh rotation section from security BCP
- sync redirect URI matching text from security BCP
- updated references to RAR (RFC9396)
- clarifications on URIs
- removed redirect_uri from the token request
- expanded security considerations around code_verifier
- revised introduction section