+1. This is what I expected. Phil
Oracle Corporation, Identity Cloud Services Architect @independentid www.independentid.com <http://www.independentid.com/>phil.h...@oracle.com <mailto:phil.h...@oracle.com> > On Mar 19, 2018, at 10:16 AM, Torsten Lodderstedt <tors...@lodderstedt.net> > wrote: > > We explicitly want the token (JSON object) to be signed not the HTTP > response. I think using JWS is the most generic way to achieve that goal. > >> Am 19.03.2018 um 09:57 schrieb Phil Hunt <phil.h...@oracle.com >> <mailto:phil.h...@oracle.com>>: >> >> This draft has similar issues to >> https://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01 >> <https://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01> >> >> Rather than *try* sign HTTP, a signed JWT object is more reliably returned. >> >> Phil >> >> >>> On Mar 19, 2018, at 8:25 AM, LARMIGNAT Louis <louis.larmig...@wavestone.com >>> <mailto:louis.larmig...@wavestone.com>> wrote: >>> >>> Hi, >>> >>> The draft Signing HTTP Messages <> >>> (https://tools.ietf.org/html/draft-cavage-http-signatures-09 >>> <https://tools.ietf.org/html/draft-cavage-http-signatures-09>) could not >>> meet this requirement in a more generic way ? >>> >>> Regards, >>> Louis >>> >>> De : OAuth <oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org>> De la >>> part de Brock Allen >>> Envoyé : dimanche 18 mars 2018 20:40 >>> À : Torsten Lodderstedt <tors...@lodderstedt.net >>> <mailto:tors...@lodderstedt.net>>; oauth@ietf.org <mailto:oauth@ietf.org> >>> Objet : Re: [OAUTH-WG] Fwd: New Version Notification for >>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt >>> >>> Why is TLS to the intospection endpoint not sufficient? Are you thinking >>> there needs to be some multi-tenancy support of some kind? >>> >>> -Brock >>> >>> On 3/18/2018 3:33:16 PM, Torsten Lodderstedt <tors...@lodderstedt.net >>> <mailto:tors...@lodderstedt.net>> wrote: >>> >>> Hi all, >>> >>> I just submitted a new draft that Vladimir Dzhuvinov and I have written. It >>> proposes a JWT-based response type for Token Introspection. The objective >>> is to provide resource servers with signed tokens in case they need >>> cryptographic evidence that the AS created the token (e.g. for liability). >>> >>> I will present the new draft in the session on Wednesday. >>> >>> kind regards, >>> Torsten. >>> >>> >>> Anfang der weitergeleiteten Nachricht: >>> >>> Von: internet-dra...@ietf.org <mailto:internet-dra...@ietf.org> >>> Betreff: New Version Notification for >>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt >>> Datum: 18. März 2018 um 20:19:37 MEZ >>> An: "Vladimir Dzhuvinov" <vladi...@connect2id.com >>> <mailto:vladi...@connect2id.com>>, "Torsten Lodderstedt" >>> <tors...@lodderstedt.net <mailto:tors...@lodderstedt.net>> >>> >>> >>> A new version of I-D, >>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt >>> has been successfully submitted by Torsten Lodderstedt and posted to the >>> IETF repository. >>> >>> Name: draft-lodderstedt-oauth-jwt-introspection-response >>> Revision: 00 >>> Title: JWT Response for OAuth Token Introspection >>> Document date: 2018-03-15 >>> Group: Individual Submission >>> Pages: 5 >>> URL: >>> https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt >>> >>> <https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt> >>> Status: >>> https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/ >>> >>> <https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/> >>> Htmlized: >>> https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00 >>> >>> <https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00> >>> Htmlized: >>> https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response >>> >>> <https://datatracker..ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response> >>> >>> >>> Abstract: >>> This draft proposes an additional JSON Web Token (JWT) based response >>> for OAuth 2.0 Token Introspection. >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of submission >>> until the htmlized version and diff are available at tools.ietf.org >>> <http://tools.ietf.org/>. >>> >>> The IETF Secretariat >>> >>> >>> The information transmitted in the present email including the attachment >>> is intended only for the person to whom or entity to which it is addressed >>> and may contain confidential and/or privileged material. Any review, >>> retransmission, dissemination or other use of, or taking of any action in >>> reliance upon this information by persons or entities other than the >>> intended recipient is prohibited. If you received this in error, please >>> contact the sender and delete all copies of the material. >>> >>> Ce message et toutes les pièces qui y sont éventuellement jointes sont >>> confidentiels et transmis à l'intention exclusive de son destinataire. >>> Toute modification, édition, utilisation ou diffusion par toute personne ou >>> entité autre que le destinataire est interdite. Si vous avez reçu ce >>> message par erreur, nous vous remercions de nous en informer immédiatement >>> et de le supprimer ainsi que les pièces qui y sont éventuellement jointes. >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> <https://www.ietf.org/mailman/listinfo/oauth> >> >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
