Hi all, I have submitted a new individual Internet-Draft titled:
“OAuth Trust Binding Extension (OTBE)” The draft addresses a long-standing issue in OAuth and OpenID Connect deployments: Relying Parties frequently accept identity assertions from Authorization Servers based solely on namespace control (e.g., email domains), even when the Resource Owner has no prior trust relationship with that Authorization Server. This can enable silent impersonation, unintended identity assertions, and operational ambiguity around whether a user *intended* to authorize a given Authorization Server for a particular Relying Party. OTBE introduces an explicit, user-controlled Trust Binding mechanism that allows Resource Owners to authorize which Authorization Servers may assert their identity for a given Relying Party. Without such a binding, an authorization attempt is rejected by design. Draft: https://datatracker.ietf.org/doc/draft-fulz-oauth-trust-binding/ TXT version: https://www.ietf.org/archive/id/draft-fulz-oauth-trust-binding-00.txt Feedback is very welcome. I would appreciate initial thoughts on whether this problem space should be considered within the WG’s scope and how to best approach the discussion. Best regards, Matthias Fulz
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
