Re: [OAUTH-WG] Generalizing draft-ietf-oauth-jwt-introspection-response-01
As discussed during the working group meeting, I agree with the people who spoke up saying that they believe that trying to over-generalize the JWT introspection response mechanism to cover all OAuth interactions would be reaching too far. There are differences in the characteristics of the different OAuth endpoints (authorization, token, introspection, AS metadata, dynamic registration, etc.) that would have to be accounted for, including the likelihood that different keys and algorithms would be appropriate in the different contexts, different client authentication methods would be needed, etc. Let's do one thing well. Not create something that's extra-complicated without any clear use cases for doing so. -- Mike -Original Message- From: OAuth On Behalf Of Torsten Lodderstedt Sent: Monday, November 5, 2018 1:33 PM To: oauth Subject: [OAUTH-WG] Generalizing draft-ietf-oauth-jwt-introspection-response-01 Hi all, as mentioned during the presentation this morning, I would like to get a feeling what the working groups thinks about generalizing draft-ietf-oauth-jwt-introspection-response-01 to a mechanism supporting requesting and providing JWT responses from the different OAuth endpoints, such as token, revocation, client registration, and introspection. Please share your thoughts on the list. Thanks in advance, Torsten. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
Hi all, the Financial-grade API WG at the OpenID Foundation has published a mechanism for signing and encrypting OAuth authorization responses that I would like to bring to your attention. The draft https://openid.net//specs/openid-financial-api-jarm-wd-01.html went already through Implementations Draft voting. I presented the draft in the session today at IETF-103 and perceived positive feedback on making this draft usable in a broader OAuth context. For the time being we would like the draft to stay in the FAPI WG. If you want to give feedback, please do so either here or at the FAPI mailing list (http://lists.openid.net/mailman/listinfo/openid-specs-fapi). kind regards, Torsten. smime.p7s Description: S/MIME cryptographic signature ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] Generalizing draft-ietf-oauth-jwt-introspection-response-01
Hi all, as mentioned during the presentation this morning, I would like to get a feeling what the working groups thinks about generalizing draft-ietf-oauth-jwt-introspection-response-01 to a mechanism supporting requesting and providing JWT responses from the different OAuth endpoints, such as token, revocation, client registration, and introspection. Please share your thoughts on the list. Thanks in advance, Torsten. smime.p7s Description: S/MIME cryptographic signature ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] For Tuesday's Session: OAuth2 for Browser-based Apps
All, Here is the draft that was foreshadowed for tomorrow's discuss: https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-00 -- - m Matthew A. Miller ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth