Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-saml-01

Agreed. I'll poke the chairs about accepting this as a WG item. :) Peter On 12/14/10 6:26 PM, Eran Hammer-Lahav wrote: > Prepare a new draft if needed and submit it with draft-ietf-oauth- > prefix. One of the chairs will need to approve it and it will be > published. I think we have wide conse

Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-saml-01

Thanks Peter. I did update the draft and submit it with a draft-ietf-oauth- prefix. The I-D submission summary page for it is at https://datatracker.ietf.org/idst/status.cgi?submission_id=28905 On Tue, Jan 4, 2011 at 9:08 AM, Peter Saint-Andre wrote: > > > Agreed. > > I'll poke the chairs about

Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-saml-01

Accepted into the tracker. Thanks, Brian! b. On 4 January 2011 08:26, Brian Campbell wrote: > Thanks Peter.  I did update the draft and submit it with a > draft-ietf-oauth- prefix. The I-D submission summary page for it is at > https://datatracker.ietf.org/idst/status.cgi?submission_id=28905 > >

[OAUTH-WG] I-D Action:draft-ietf-oauth-saml2-bearer-00.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Open Authentication Protocol Working Group of the IETF. Title : SAML 2.0 Bearer Assertion Grant Type Profile for OAuth 2.0 Author(s) : B. Campbell, C.

Re: [OAUTH-WG] TLS is needed for redirecting back to the client

Torsten, > you made a good point. However, the question is if this > belongs into the OAuth scope since this a general attack on > a web app's session management. I gave two variants of the attack.  I agree that the first variant "looks like" an attack against session management, but the second v

Re: [OAUTH-WG] TLS is needed for redirecting back to the client

On Tue, Jan 4, 2011 at 1:27 PM, Francisco Corella wrote: > > We need a protocol that does both authentication and > authorization.  We can take OAuth and adapt it for > authentication, or take OpenID and adapt it for > authorization, or combine OpenID and OAuth (great solution > for people who lov

Re: [OAUTH-WG] TLS is needed for redirecting back to the client

What is the status of openid connect and what organisation ist standardizing it? Gesendet mit BlackBerry® Webmail von Telekom Deutschland -Original Message- From: Marius Scurtescu Date: Tue, 4 Jan 2011 13:37:28 To: Cc: ; ; Karen P. Lewison Subject: Re: [OAUTH-WG] TLS is needed for re

Re: [OAUTH-WG] TLS is needed for redirecting back to the client

> > We need a protocol that does both authentication and > > authorization. We can take OAuth and adapt it for > > authentication, or take OpenID and adapt it for > > authorization, or combine OpenID and OAuth (great solution > > for people who love complexity) or... take the best ideas > > from O

Re: [OAUTH-WG] TLS is needed for redirecting back to the client

Francisco, the attack you described sounds very similar to session fixation attacks. TLS (more specifically server authentication) is one way to cope with spoofing in general (supposed the client has a reasonably CA policy). So it should do in this case, too. Validation of the redirect_uri a

Re: [OAUTH-WG] unregistered applications

Francisco, just to make sure I understood your paper correctly: even native clients are required to have a backend server component, which receives the authorization results and makes it available to the native client? regards, Torsten. Hi all, OAuth provides only weak security when used wi

Re: [OAUTH-WG] Native Client Extension

+1 I have asked myself all the time why "oob" disappeared in OAuth 2.0? Does Google use this feature? regards, Torsten. Am 29.12.2010 23:53, schrieb Marius Scurtescu: I would like to propose an OAuth 2 extension that helps native clients close the loop after the approval page. The extension d

Re: [OAUTH-WG] Native Client Extension

On Tue, Jan 4, 2011 at 2:23 PM, Torsten Lodderstedt wrote: > +1 > > I have asked myself all the time why "oob" disappeared in OAuth 2.0? Does > Google use this feature? Yes, we are planning to support this, exactly as described in the extension. Marius ___

Re: [OAUTH-WG] TLS is needed for redirecting back to the client

--- On Tue, 1/4/11, Marius Scurtescu wrote: > > We need a protocol that does both authentication and > > authorization.  We can take OAuth and adapt it for > > authentication, or take OpenID and adapt it for > > authorization, or combine OpenID and OAuth (great solution > > for people who love com

Re: [OAUTH-WG] TLS is needed for redirecting back to the client

--- On Tue, 1/4/11, Justin Richer wrote: > > > We need a protocol that does both authentication and > > > authorization.  We can take OAuth and adapt it for > > > authentication, or take OpenID and adapt it for > > > authorization, or combine OpenID and OAuth (great > > > solution > > > for people

Re: [OAUTH-WG] unregistered applications

--- On Tue, 1/4/11, Torsten Lodderstedt wrote: > just to make sure I understood your paper correctly: even > native clients are required to have a backend server > component, which receives the authorization results and > makes it available to the native client? Yes, a very simple one that respon

Re: [OAUTH-WG] TLS is needed for redirecting back to the client

--- On Tue, 1/4/11, Torsten Lodderstedt wrote: > the attack you described sounds very similar to session > fixation attacks. TLS (more specifically server > authentication) is one way to cope with spoofing in general > (supposed the client has a reasonably CA policy). So it > should do in this cas

[OAUTH-WG] JSON Web Token (JWT) draft -01

Draft -01 of the JSON Web Token (JWT) specification is now available. This version incorporates the consensus decisions reached at the Internet Identity Workshop. The remaining open issues and to-do items are documented in Section

Re: [OAUTH-WG] unregistered applications

These also means the availabilty of the native app on a device depends on the availabilty of this backend service. I don't know whether the average store website has a reasonable availability. Regards, Torsten. Gesendet mit BlackBerry® Webmail von Telekom Deutschland -Original Message--

Re: [OAUTH-WG] TLS is needed for redirecting back to the client

The client could just add another random string with every authorization request. Regards, Torsten. Gesendet mit BlackBerry® Webmail von Telekom Deutschland -Original Message- From: Francisco Corella Date: Tue, 4 Jan 2011 17:26:42 To: Torsten Lodderstedt Reply-To: fcore...@pomcor.c

Re: [OAUTH-WG] unregistered applications

Another question: how does the server validate the identity/authenticity of the client? In other words, what does a malicious app prevent from using the URL and server of another native app? Regards, Torsten. Gesendet mit BlackBerry® Webmail von Telekom Deutschland -Original Message-