?
Thanks,
-- Mike
From: OAuth On Behalf Of Rifaat Shekh-Yusef
Sent: Monday, April 22, 2024 7:55 AM
To: Pieter Kasselman
Cc: oauth
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
All
ietf ; oauth
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
I volunteered to review the OAuth 2.0 Protected Resource Metadata
(https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-03.html) at
the IETF 119 meeting.
First, I would like to thank the authors,
Sent: Thursday, April 4, 2024 2:42 PM
To: Michael Jones
Cc: Vladimir Dzhuvinov ; oauth@ietf.org
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
Apologies, I just noticed an unfinished sentence in my prior message
(embarrassing but I guess I started to write it and then change
orted and why (paragraph 1 and 2).
> 4. Section 7.8: Not sure if this falls under phishing or if there
>needs to be a separate section on malicious resource servers that uses
>resource metadata to direct users to an authorization server under their
>control in order to collect c
rization server under their control in order to
collect credentials (it is kind of hinted at, but not explicitly stated).
Defences would be similar to those typically deployed against phishing sites as
outlined in the last sentence of section 7.8
Cheers
Pieter
From: OAuth On Behalf Of
ing for removal at this point but I think the
> three *_values_supported parameters need additional definition or
> clarification for them to be useful in a meaningful or interoperability
> improving way. Absent that though, I guess I would argue for their removal.
>
>
>
>>
>> -- Mike
eaningful or interoperability improving way.
Absent that though, I guess I would argue for their removal.
>
> -- Mike
>
>
>
> *From:* OAuth *On Behalf Of *Brian Campbell
> *Sent:* Tuesday, April 2, 2024 2:45 PM
> *To:* Vladimir Dzhuvinov
> *Cc:* oauth@i
think?
-- Mike
From: OAuth On Behalf Of Brian Campbell
Sent: Tuesday, April 2, 2024 2:45 PM
To: Vladimir Dzhuvinov
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
I've had questions similar to Vladimir's* and do
I've had questions similar to Vladimir's* and do still think that some
additional context or clarification or something in the document would be
helpful.
* https://mailarchive.ietf.org/arch/msg/oauth/LA6sqNOV98D7wP44p2Hl6dpSmtg/
On Thu, Mar 28, 2024 at 2:57 PM Vladimir Dzhuvinov
wrote:
> I
*To:* Rifaat Shekh-Yusef ; oauth
> *Subject:* Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
>
>
>
>6. Section 5.1: Does this introduce any IANA consideration? How would
>we know if some other spec is not using "resource_metadata" in some other
>
Thanks again for the detailed review, Atul! I’ve updated the PR accordingly.
Responses are inline below…
From: OAuth On Behalf Of Atul Tulshibagwale
Sent: Friday, March 29, 2024 6:31 PM
To: Rifaat Shekh-Yusef ; oauth
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
Continuing my review notes from section 3.2:
1. Section 3.2 paragraph 2 says "Claims that return multiple values are
represented as JSON arrays." should this be "MUST be represented as JSON
arrays"? "Are" is probably OK because it is a statement of fact, but since
this spec will be
Ciao Rifaat and everybody,
In Italy, I've come across two national guidelines[1][2] that utilize OAuth
2.0 for protecting resources. These were implemented two years ago when the
draft was still an individual draft and not as mature as it is today.
Reflecting on the Italian implementation
I have a question about the parameters:
resource_signing_alg_values_supported,
resource_encryption_alg_values_supported,
resource_encryption_enc_values_supported.
I'm not sure how to interpret "content". Where the algorithms, if
advertised, get to apply. Is this something that resources /
,
-- Mike
From: OAuth On Behalf Of Atul Tulshibagwale
Sent: Wednesday, March 27, 2024 12:01 PM
To: Rifaat Shekh-Yusef
Cc: oauth
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
Hi all,
I'd committed to reviewing the draft at IETF 119, so
From: OAuth On Behalf Of Atul Tulshibagwale
Sent: Wednesday, March 27, 2024 12:01 PM
To: Rifaat Shekh-Yusef
Cc: oauth
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
Hi all,
I'd committed to reviewing the draft at IETF 119, so here is my feedback up to
section 3.1:
1
Hi all,
I'd committed to reviewing the draft at IETF 119, so here is my feedback up
to section 3.1:
1. Section 1: The sentence "Each protected resource publishing metadata
about itself makes its own metadata document available at a well-known
location rooted at the protect resource's
All,
This is a *WG Last Call* for the *OAuth 2.0 Protected Resource Metadata*
document.
https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-03.html
Please, review this document and reply on the mailing list if you have any
comments or concerns, by *April 12*.
Regards,
Rifaat &
18 matches
Mail list logo