The thought/intent is that it's really about proof-of-possession rather than protecting the request. So the signature is over a minimal set of information.
On Mon, Apr 8, 2019 at 5:41 PM Justin Richer <jric...@mit.edu> wrote: > Corollary to this, are there thoughts of header protection under this > method, and the associated issue of header modification? > > — Justin > > On Apr 8, 2019, at 7:23 PM, Phil Hunt <phil.h...@oracle.com> wrote: > > Question. One of the issues that Justin Richer’s signing draft tried to > address was url modification by tls terminators/load balencers/proxies/api > gateways etc. > > How do you see this issue in dpop? Is it a problem? > > Phil > > On Apr 3, 2019, at 9:01 AM, George Fletcher < > gffletch=40aol....@dmarc.ietf.org> wrote: > > Perfect! Thank you! A couple comments on version 01... > > POST /token HTTP/1.1 > Host: server.example.com > Content-Type: application/x-www-form-urlencoded;charset=UTF-8 > DPoP-Binding: eyJhbGciOiJSU0ExXzUi ... > > grant_type=authorization_code > &code=SplxlOBeZQQYbYS6WxSbIA > &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb > (remainder of JWK omitted for brevity) > > > I believe the "(remainder of JWK..." should be moved to the DPoP-Binding > header... > > Also, there is no discussion of the DPoP-Binding header outside of the > token request, but I suspect that is the desired way to communicate the > DPoP-Proof to the RS. > > Possibly an example in the session for presenting the token to the RS > would help. > > Thanks, > George > > On 4/3/19 11:39 AM, Daniel Fett wrote: > > This is fixed in -01: > > https://tools.ietf.org/html/draft-fett-oauth-dpop-01 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dfett-2Doauth-2Ddpop-2D01&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=eQpusEFY7fROXNfEJmh0QzkejgdgaVnILpbm2q8x9II&s=TEa5Vgb3rAzxbIuavB1lN65fnkTxKoMp7F2rw1AjuEY&e=> > > -Daniel > > Am 03.04.19 um 17:28 schrieb George Fletcher: > > A quick question regarding... > > o "http_uri": The HTTP URI used for the request, without query and > fragment parts (REQUIRED). > > > Is 'without' supposed to be 'with' ? The example shows the http_uri *with* > the query parameters :) > > On 3/28/19 6:17 AM, Daniel Fett wrote: > > Hi all, > > I published the first version of the DPoP draft at > https://tools.ietf.org/html/draft-fett-oauth-dpop-00 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dfett-2Doauth-2Ddpop-2D00&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=eQpusEFY7fROXNfEJmh0QzkejgdgaVnILpbm2q8x9II&s=eeMGKZq5R86dv0XgrBsIijzuI8OzQqnE-vmUEZ836hY&e=> > > Abstract > > This document defines a sender-constraint mechanism for OAuth 2.0 > access tokens and refresh tokens utilizing an application-level > proof-of-possession mechanism based on public/private key pairs. > > > Thanks for the feedback I received so far from John, Mike, Torsten, and > others during today's session or before! > > If you find any errors I would welcome if you open an issue in the GitHub > repository at https://github.com/webhamster/draft-dpop > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_webhamster_draft-2Ddpop&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=eQpusEFY7fROXNfEJmh0QzkejgdgaVnILpbm2q8x9II&s=RR3u82IhN7whr8LgXMWM2fWN7EKH6GO-Bs-HRxEwKHE&e=> > > - Daniel > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=eQpusEFY7fROXNfEJmh0QzkejgdgaVnILpbm2q8x9II&s=8LDvfTYESi1fDeRK7mQrHFeo9okoJ4NTZU4OHyeRJWk&e=> > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=eQpusEFY7fROXNfEJmh0QzkejgdgaVnILpbm2q8x9II&s=8LDvfTYESi1fDeRK7mQrHFeo9okoJ4NTZU4OHyeRJWk&e= > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
