Re: [OAUTH-WG] OAuth implementation fail

Hey Barry, >From my observations with Facebook, it now has options added for you to select what resources from Facebook will get shared when authorizing access to other applications. You can click on each of the possibilities and strip it down. It appears to me that Facebook is managing that, so

Re: [OAUTH-WG] OAuth implementation fail

Interesting. A couple of possible issues (and of course I am speculating here): 1. Using OAuth for authentication (does LinkedIn support OIDC?) 2. Not asking for the minimum information needed (either by omission or by intent) I am really speculating now, but wonder if Slideshare didn’t actual

Re: [OAUTH-WG] OAuth implementation fail

This is a pretty clear case of SlideShare trying to grab too much. The LinkedIn API (which is their own proprietary thing, not OpenID Connect) does separate all the permissions into different scopes. However, the SlideShare app is asking for all of them, and LinkedIn doesn’t let you uncheck any

Re: [OAUTH-WG] OAuth implementation fail

Do they explicitly ask for those scopes? Or do they leave scope to default that way. Phil > On Jul 22, 2015, at 10:22, Justin Richer wrote: > > This is a pretty clear case of SlideShare trying to grab too much. The > LinkedIn API (which is their own proprietary thing, not OpenID Connect) doe

[OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-05.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : OAuth 2.0 JWT Authorization Request Authors : Nat Sakimura J

Re: [OAUTH-WG] Token introspection for public clients?

Hi Would there be any sense at all to have a new endpoint dedicated to supporting public clients only for these clients be able to do the extra validation which only public clients may need, etc, etc. Or perhaps let the access token endpoint not only exchange grants but also do some optional f

Re: [OAUTH-WG] OAuth implementation fail

It seems that they don't ask for scopes. The parameter is left blank: scope= Kind regards, Maciej On 22 July 2015 at 10:26, Phil Hunt wrote: > Do they explicitly ask for those scopes? Or do they leave scope to default > that way. > > Phil > > On Jul 22, 2015, at 10:22, Justin Richer wrote: >

Re: [OAUTH-WG] OAuth implementation fail

According to the LinkedIn docs, that means they get all the scopes that they registered for. — Justin > On Jul 22, 2015, at 10:59 AM, Maciej Machulak > wrote: > > It seems that they don't ask for scopes. > > The parameter is left blank: scope= > > Kind regards, > Maciej > > On 22 July 20

Re: [OAUTH-WG] OAuth implementation fail

Wow, that's the very opposite of Privacy by Design/Default recommendation. 2015-07-22 11:06 GMT+02:00 Justin Richer : > According to the LinkedIn docs, that means they get all the scopes that > they registered for. > > — Justin > > On Jul 22, 2015, at 10:59 AM, Maciej Machulak > wrote: > > It

Re: [OAUTH-WG] OAuth implementation fail

Slideshare did register all of those scopes as ones the client could ask for. Interpreting no scopes as all the ones the client has set as the ones it wants is probably not unreasonable. The problem is a combination of Slideshare over asking, perhaps because they don’t understand the default be

Re: [OAUTH-WG] OAuth implementation fail

IMHO, returning everything if scope is empty is a violation of the collection minimization principle. From the privacy by Design point of view, a lazy programmer sending an empty request should not cause the maximal data returned. Now, as to the spec change is concerned, I agree with John that it

Re: [OAUTH-WG] OAuth implementation fail

This may be a better fit for another article on http://oauth.net/articles/ instead of a WG document. — Justin > On Jul 22, 2015, at 11:35 AM, Nat Sakimura wrote: > > IMHO, returning everything if scope is empty is a violation of the collection > minimization princ

Re: [OAUTH-WG] OAuth implementation fail

Agreed. I have heard it can be equally bad to pester the user every time a new scope is needed. There’s a definite balancing problem. I don’t think this an OAuth issue; just a good user experience issue. Phil @independentid www.independentid.com phil.h...@oracle.com > On Jul 22, 2015, at 11:

Re: [OAUTH-WG] OAuth implementation fail

I think it would be good to have both a guideline informative RFC as well as the oauth.net blog entry, former being more "formal" in the way of writing while the later can be more readable one. Re: pestering factor -- Indeed, I am the one started to talk about "turning an internet dog into a Pavlo

Re: [OAUTH-WG] OAuth implementation fail

+1 Is there any A/B test kind of statistics on the improvement of the conversion of the incremental authz over kitchen sink authz? If there is, it would be a very good data to show to those people who want everything upfront. Nat 2015-07-22 15:01 GMT+02:00 William Denniss : > On the pestering t

[OAUTH-WG] Authentication Method Reference Values Specification

Phil Hunt and I have posted a new draft that defines some values used with the "amr" (Authentication Methods References) claim and establishes a registry for Authentication Method Reference values. These values include commonly used authentication methods like "pwd" (password) and "otp" (one ti