Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

I basically support adoption of this document. Asserting authentication methods in access tokens (in this case in JWTS format) is reasonable. We use it to pass information about the authentication performed prior issuing an access token to the _resource_ server. What worries me is the back and

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

This is not a issue between oauth and OIDC. This has to do with the registry for JWT being in OAuth. Many protocols that use JWT are going to want to register claims. We can’t ask them to all move the parts of there specs that use JWT to OAuth. Perhaps JWT should have been part of JOSE, but

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

We clearly have this problem between oauth and oidc. Just take a look at the discovery thread. According to you argument I see two options: (1) amr stays an oidc claim, is used in oidc only and the oauth wg just publishes the registry entries. In this case, the spec should clearly explain this.

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

The context that most people on this thread probably don’t have is that an IANA registry can only be established by an RFC. Non-RFC specifications, such as OpenID specifications, can *register* values in a registry, but they cannot *establish* a registry. The OpenID Foundation inquired about t

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

I was trying to say that the issue about other specs using the JWT registry is not specific to OIDC. Discovery is a separate issue. If we don’t adopt this document it could go as AD sponsored , but I don’t think that really addresses your issue. The distinction between AD sponsored and WG docu

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

So basically, the RFC could also just establish the new registry and oidf could feel in the values? (just trying to understand) Originalnachricht Betreff: RE: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized Von: Mike Jones An: tors...@loddersted

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

Yes Phil > On Feb 13, 2016, at 07:59, "tors...@lodderstedt.net" > wrote: > > So basically, the RFC could also just establish the new registry and oidf > could feel in the values? > > (just trying to understand) > > > > Originalnachricht > Betreff: RE: [OAUTH-WG] Authenti

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

Can we just do that, then? Seems to be the easiest way to address various needs and concerns. — Justin > On Feb 13, 2016, at 11:08 AM, Phil Hunt (IDM) wrote: > > Yes > > Phil > > On Feb 13, 2016, at 07:59, "tors...@lodderstedt.net > "

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

It's an acceptable fallback option if the working group decides it doesn't want to register the values that are already in production use at the time we establish the registry. But add William points out, Google is already using some of these values. Microsoft is using some of them. The OpenID M

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

We’re a standard body working group. We don’t do “efficient”. ;) — Justin > On Feb 13, 2016, at 3:19 PM, Mike Jones wrote: > > It's an acceptable fallback option if the working group decides it doesn't > want to register the values that are already in production use at the time we > establis