Draft -00 (Adopted by the OAuth WG)

No changes other than renaming the doc as an adopted draft

Draft -02 (IETF 120)

What's Changed

• Clarify binding mechanism for DPoP by @PieterKas in #95
• clarify auth_session in token response by @aaronpk in #92
• Clarified two ways in which phishing may increase by @PieterKas in #91
• Clarified resource server error response section
• Added additional context to the Design Goals section
• Clarified that further communication between client and AS can happen at proprietary endpoints
• Changed invalid_grant to invalid_session

Full Changelog: draft-parecki-oauth-first-party-apps-01...draft-parecki-oauth-first-party-apps-02

Draft -01

• Added clarification on use of authorization code binding when using DPoP with the authorization challenge endpoint.
• Removed ash claim to simplify DPoP binding with auth_session value.
• Fixed how "redirect to web" mechanism works with PKCE.
• Added "intermediate requests" section to clarify these requests are out of scope, moved "auth session" description to that section.

Draft -00 (IETF 118)

• Renamed device_session to auth_session
• Added explicit method to indicate the client should restart the flow in a browser
• Described how to use DPoP in conjunction with this spec
• Removed "Native" from spec name

IETF 117

draft-parecki-oauth-first-party-native-apps-00

rm trailing space