I have submitted a new draft:
https://datatracker.ietf.org/doc/html/draft-cecchetti-oauth-rar-cedar
This is intended to be a profile of RFC 9396 OAuth 2.0 Rich Authorization
Requests (OAuth RAR). OAuth RAR defines an authorization_details parameter, but
leaves the format of the parameter
Hello OAUTH list,
I assume I understand what you just were supporting Orie, but could you
please phrase that in OLD vs. NEW email notation here on the list?
Viele Grüße,
Henk
p.s. I typically do not post here, but this discussion was confined to oauth
On 21.02.24 14:50, Orie Steele wrote:
I support making the above changes to the charter.
OS
On Tue, Feb 20, 2024 at 6:59 PM wrote:
> Orie, many thanks for the dump on metadata, I understand now the motive.
>
> If we keep it simple and just say a metadata Discover proposal for
> specific technologies there can be different
Hi Sachin,
You’re right, the scope of the refresh token MUST remain the same. That means a
refresh token should enable a client to request a new access token with the
“scope originally granted by the resource owner”. Even if a refresh token
entitles a client to request certain scopes
Hi Warren,
Agree with you on the complexity of our scenario. This is one of the parts
of a complex issue we are discussing internally. So according to section 6
of the specification, we can conclude that "the refresh token scope MUST be
identical to that of the refresh token included by the
Sachin,
Can I ask what your goal is here, as in what would you like out of this
conversation, what concrete if anything would like this working group to
action? It seems that you have had a question, which has been answered
multiple times (in multiple different email threads, I might add). The
Hi Neil,
Since Access tokens are bound to scopes. These scopes define the
permissions granted for accessing resources. When an access token is
requested, it's issued with specific scopes based on the authorization
granted by the resource owner.
On the other hand, Refresh tokens are used to
Hi Sachin, you can find this information in section 6:
https://www.rfc-editor.org/rfc/rfc6749#section-6
“If a
new refresh token is issued, the refresh token scope MUST be
identical to that of the refresh token included by the client in the
request.”
Best regards,
Kai
From: OAuth on
That section quite clearly says "*access tokens* with identical or narrower
scope". Not refresh tokens.
-- Neil
> On 21 Feb 2024, at 08:24, Sachin Mamoru wrote:
>
> Hi Warren and Neil,
>
> My basis for asking this is due to the following definition [1],
>
> Refresh tokens are credentials
Hi Warren and Neil,
My basis for asking this is due to the following definition [1],
Refresh tokens are credentials used to obtain access tokens. Refresh
tokens are issued to the client by the authorization server and are
used to obtain a new access token when the current access token
On 21 Feb 2024, at 08:06, Sachin Mamoru wrote:
>
> Hi Warren and Neil,
>
> Thanks for the valuable input and sorry for mentioning other products, I just
> wanted to provide an example.
> So Warren according to you following is the behaviour that spec suggested.
>
> When we request an access
Hi Warren and Neil,
Thanks for the valuable input and sorry for mentioning other products, I
just wanted to provide an example.
So Warren according to you following is the behaviour that spec suggested.
When we request an access token using 3 scopes (scope1, scope2, scope3).
Then will receive a
12 matches
Mail list logo
