Skip to content

Commit

Permalink
Merge pull request #173 from MozharAlhosni/patch-1
Browse files Browse the repository at this point in the history 
Minor fix
  • Loading branch information
@aaronpk
aaronpk authored Apr 26, 2024
2 parents 33141ce + 5289949 commit 7d1b617
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions draft-ietf-oauth-v2-1.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -495,7 +495,7 @@ The flow illustrated in {{fig-refresh-token-flow}} includes the following steps:
### Client Credentials

The client credentials or other forms of client authentication
(e.g. a private key used to sign a JWT, as described in {{RFC7523}})
(e.g., a private key used to sign a JWT, as described in {{RFC7523}})
can be used as an authorization grant when the authorization scope is
limited to the protected resources under the control of the client,
or to protected resources previously arranged with the authorization
Expand Down Expand Up @@ -646,7 +646,7 @@ Transport-Layer Security {{RFC8446}},
to protect the exchange of clear-text credentials and tokens
either in the content or in header fields
from eavesdropping, tampering, and message forgery
(eg. see {{client-secret}}, {{authorization_codes}}, {{token-endpoint}}, and {{bearer-tokens}}).
(e.g., see {{client-secret}}, {{authorization_codes}}, {{token-endpoint}}, and {{bearer-tokens}}).

OAuth URLs MUST use the `https` scheme
except for loopback interface redirect URIs,
Expand Down Expand Up @@ -949,7 +949,7 @@ The redirection request to the client's endpoint typically results in
an HTML document response, processed by the user agent. If the HTML
response is served directly as the result of the redirection request,
any script included in the HTML document will execute with full
access to the redirect URI and the artifacts (e.g. authorization code)
access to the redirect URI and the artifacts (e.g., authorization code)
it contains. Additionally, the request URL containing the authorization code
may be sent in the HTTP Referer header to any embedded images, stylesheets
and other elements loaded in the page.
Expand Down Expand Up @@ -1992,7 +1992,7 @@ refresh token replay by malicious actors for public clients:

* *Sender-constrained refresh tokens:* the authorization server
cryptographically binds the refresh token to a certain client
instance, e.g. by utilizing DPoP {{RFC9449}} or mTLS {{RFC8705}}.
instance, e.g., by utilizing DPoP {{RFC9449}} or mTLS {{RFC8705}}.

* *Refresh token rotation:* the authorization server issues a new
refresh token with every access token refresh response. The
Expand Down

0 comments on commit 7d1b617

Please # to comment.