...
- Breaking changes:
- Section 1.5: Some properties in the the authorization server configuration data have been renamed, and others broken out into multiple properties with different names. The wording around reserved keywords vs. URIs as string values was also cleaned up.
- oauth_token_profiles_supported: broken out into two, pat_profiles_supported and aat_profiles_supported.
- uma_token_profiles_supported: renamed to rpt_profiles_supported.
- oauth_grant_types_suppored: broken out into two, pat_grant_types_supported and aat_grant_types_supported.
- Section 3.4.2: Error code names were cleaned up.
- expired_requester_ticket: renamed to expired_ticket.
- invalid_requester_ticket: renamed to invalid_ticket.
- Other changes of note:
- Updated the token introspection spec citation and details.
- Updated the OAuth threat model citation.
- Enhanced the security considerations section.
- Broaden from defining successful access as 200 OK to defining it as 2xx Success.
- Explain that the PAT implicitly gives the "subject" of a requested permission.
- Fix resource_set_registration_endpoint keyword mention. (It was missing the last work.)
- Section 1.5: Some properties in the the authorization server configuration data have been renamed, and others broken out into multiple properties with different names. The wording around reserved keywords vs. URIs as string values was also cleaned up.
From rev 07 to 08:
- Breaking changes:
- Section 1.3: TLS as defined and (mostly) required in OAuth (RFC 6749) is now a MUST in UMA for AS endpoints.