This discussion is now locked
Posted by Ralph Henze on 8 November 2016 at 8:51
I'm not satisfied with section 6.2 ("Identity and Trust").
OAuth 2.0 does not stand for "Open Authentication".
As RFC 6749 states, OAuth 2.0 is an authorization framework (for delegated authorization, not primarely authentication).
OpenID Connect ist mentioned without any explanation. It would be helpful if there was a short section that explains that OpenID Connect builds on top of OAuth 2.0, clarifies (e. g. mandatory usage of JWT tokens) and adds features (e. g. UserInfo endpoint).
Posted by Erin Schnabel on 21 November 2016 at 10:47
you're right. An oversight / over-simplification. I have updated the chapter to clarify the terms, though without going into significant detail. Security really is an entire additional book on its own.