Re: [OAUTH-WG] WGLC for Cross-Device Flows BCP

Thanks Pieter! -dhs -- Dean H. Saxe, CIDPRO (he/him) Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS) E: deans...@amazon.com | M: 206-659-7293 From: Pieter Kasselman Date: Tuesday, April 23, 2024 at 7:02 AM

Re: [OAUTH-WG] [External Sender] Re: Transaction Tokens issuance in the absence of incoming token

Hi George, The Token Exchange request ist requiring client authentication. A TTS needs to trust this authenticated client to provide a correct subject to some extend. This is also the case if the client would provide a self-signed JWT containing the subject instead. Using a JWT as a subject

Re: [OAUTH-WG] Cross-Device Flows: Security Best Current Practice Review

Thank you Pieter. From: Pieter Kasselman Sent: Tuesday, April 23, 2024 6:43 AM To: Roy Williams (E+P) ; oauth@ietf.org Subject: RE: Cross-Device Flows: Security Best Current Practice Review Thanks Roy, thanks for the review and feedback, much apprecioated. I have opened two issues to add

Re: [OAUTH-WG] WGLC for Cross-Device Flows BCP

Hi Dean, thanks for taking the time to review and provide feedback Dean, much appreciated. I have opened issues to address each of the items highlighted. 1. Add verbiage to diagrams: https://github.com/oauth-wg/oauth-cross-device-security/issues/124 2. Make examples consistent for

Re: [OAUTH-WG] Cross-Device Flows: Security Best Current Practice Review

Thanks Roy, thanks for the review and feedback, much apprecioated. I have opened two issues to add clarification and provide additional guidance to implementers. 1. Highlight edge cases of geolocation based on IP Address * Issue #123 * oauth-wg/oauth-cross-device-security