Re: [OAUTH-WG] Is authorization challenge always needed in OIDC OAuth2 servers ?

2015-10-21 Thread Justin Richer
You're assuming that the user actually took an action to get to that page. It's trivial for a website, any website, to craft a URL and redirect a user to the IdP. I could give you a link here in this email hidden behind a URL shortener or some other redirector. It would be very bad practice to

Re: [OAUTH-WG] Is authorization challenge always needed in OIDC OAuth2 servers ?

2015-10-21 Thread Sergey Beryozkin
Hi Justin It helps, many thanks. I understand why 'MUST' is there now... Cheers, Sergey On 21/10/15 14:37, Justin Richer wrote: You're assuming that the user actually took an action to get to that page. It's trivial for a website, any website, to craft a URL and redirect a user to the IdP. I

Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Introspection

2015-10-21 Thread Justin Richer
This was discussed extensively and is covered in the text of the RFC, but the summary is simple: the request isn’t a bad request (which is what 400 means). It’s a perfectly valid request, it’s just that the token you’re asking about might not be valid for some reason, or it might not be valid

[OAUTH-WG] FW: [jose] Cross group Working Group Last Call - draft-ietf-jose-jws-sigining-input-otpions

2015-10-21 Thread Jim Schaad
> -Original Message- > From: Jim Schaad [mailto:i...@augustcellars.com] > Sent: Wednesday, October 21, 2015 3:33 PM > To: 'o...@ietf.org' > Cc: 'j...@ietf.org' > Subject: RE: [jose] Cross group Working Group Last Call - draft-ietf-jose-jws- >

[OAUTH-WG] Is authorization challenge always needed in OIDC OAuth2 servers ?

2015-10-21 Thread Sergey Beryozkin
Hi I can not subscribe to an OIDC spec list, had some earlier questions not flowing to the list and given I'm not sure this question is irrelevant for this group (OIDC IDP is an OAuth2 server), I'm posting it here. If you'd like me to re-post to the OIDC list then let me know please...Sorry

Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Introspection

2015-10-21 Thread Kathleen Moriarty
Yes, nice job! Sent from my iPhone > On Oct 21, 2015, at 4:20 AM, Hannes Tschofenig > wrote: > > Thank you Justin for the hard work! > >> On 10/20/2015 06:32 PM, Justin Richer wrote: >> Thank you to everyone who helped make token introspection into a real >>

Re: [OAUTH-WG] RFC 7662 on OAuth 2.0 Token Introspection

2015-10-21 Thread Hannes Tschofenig
Thank you Justin for the hard work! On 10/20/2015 06:32 PM, Justin Richer wrote: > Thank you to everyone who helped make token introspection into a real > standard! > > — Justin > >> On Oct 19, 2015, at 6:56 PM, rfc-edi...@rfc-editor.org wrote: >> >> A new Request for Comments is now