There have been way too many issues, confused conversations and discussions on and off list to have this document move forward, suggest that this be one of the main items on the agenda for when we meet.
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt (IDM) Sent: Thursday, March 10, 2016 9:09 AM To: Vladimir Dzhuvinov <vladi...@connect2id.com> Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery I strongly oppose. 2 major issues. This is not service discovery this is configuration lookup. The client must have already discovered the oauth issuer uri and the resource uri. The objective was to provide a method to ensure the client has a valid set of endpoints to prevent mitm of endpoints like the token endpoint to the resource server. The draft does not address the issue of a client being given a bad endpoint for an rs. What we end up with is a promiscuous authz service giving out tokens to an unwitting client. Phil On Mar 10, 2016, at 08:06, Vladimir Dzhuvinov <vladi...@connect2id.com<mailto:vladi...@connect2id.com>> wrote: +1 to move forward with these On 10/03/16 17:35, Brian Campbell wrote: +1 On Thu, Mar 10, 2016 at 6:04 AM, Roland Hedberg <roland.hedb...@umu.se><mailto:roland.hedb...@umu.se> wrote: I support this document being moved forward with these two changes: - change name to “OAuth 2.0 Authorization Server Discovery Metadata” as proposed by Brian and - use the URI path suffix ’oauth-authorization-server’ instead of ’openid-configuration’ as proposed by Justin. 18 feb 2016 kl. 14:40 skrev Hannes Tschofenig <hannes.tschofe...@gmx.net<mailto:hannes.tschofe...@gmx.net> : Hi all, This is a Last Call for comments on the OAuth 2.0 Discovery specification: https://tools.ietf.org/html/draft-ietf-oauth-discovery-01<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-ietf-oauth-discovery-01&data=01%7c01%7ctonynad%40microsoft.com%7caeeff0cf0b5d44d8ade808d349073b5d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=CdkVvfNBrMho0Fhfri9J3WXztcjcW2jIPI7yv%2f7hf6A%3d> Since this document was only adopted recently we are running this last call for **3 weeks**. Please have your comments in no later than March 10th. Ciao Hannes & Derek _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caeeff0cf0b5d44d8ade808d349073b5d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=um6A5NXgypvNEdAGBEatm1sKhG7yiOEfsDAgWvgjjC4%3d> — Roland ”Everybody should be quiet near a little stream and listen." From ’Open House for Butterflies’ by Ruth Krauss _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caeeff0cf0b5d44d8ade808d349073b5d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=um6A5NXgypvNEdAGBEatm1sKhG7yiOEfsDAgWvgjjC4%3d> _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caeeff0cf0b5d44d8ade808d349073b5d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=um6A5NXgypvNEdAGBEatm1sKhG7yiOEfsDAgWvgjjC4%3d>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth