On Nov 2, 2023, at 18:11, Henk Birkholz <henk.birkholz@xxxxxxxxxxxxxxxxx> wrote: > >> access token verification That term (and its variants) is the start of the problem. Of course you can validate an access token, then you know that you have a valid access token. But you also need to find out whether that access token actually authorizes access! Mixing up these two functions (one can be entirely in a library, the other needs application logic) is likely to be one of the biggest reasons for problems around using tokens. Developing developer-friendly terminology may not have been on our initial list of security topics, but we now know it needs to be done. (Now I have no idea why this note is in this thread.) Grüße, Carsten -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
