Re: [OAUTH-WG] [scim] Simple Federation Deployment

That’s an issue we’re facing as well. Definitely interested. -gil From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Wednesday, April 6, 2016 4:57 PM To: 'Hardt, Dick' ; 'Phil Hunt (IDM)' Cc: s...@ietf.org; oauth@ietf.org Subject: Re: [OAUTH-WG] [scim] Simple Feder

Re: [OAUTH-WG] [scim] Simple Federation Deployment

I would be interested also Sent from my Windows 10 phone From: Gil Kirkpatrick Sent: Wednesday, April 6, 2016 4:16 AM To: 'Nat Sakimura'; 'Hardt, Dick'; 'Phil Hunt (IDM)' Cc: s...

Re: [OAUTH-WG] [scim] Simple Federation Deployment server to server

Good question, since SCIM does not really provide an authorization model and Oauth does not do provisioning this is sort of caught in the middle, so if I had to pick I would pick Oauth as this is a generic server to server issue From: Hardt, Dick [mailto:d...@amazon.com] Sent: Wednesday, April 6

Re: [OAUTH-WG] [scim] Simple Federation Deployment

I think it is worth discussing in oauth wg. While SCIM has issues, I think it represents a broader use case that other applications have that are deployed widely. Phil @independentid www.independentid.com phil.h...@oracle.com >

Re: [OAUTH-WG] [scim] Simple Federation Deployment server to server

OpenID ... ? On Wed, Apr 6, 2016 at 9:59 AM, Anthony Nadalin wrote: > Good question, since SCIM does not really provide an authorization model > and Oauth does not do provisioning this is sort of caught in the middle, so > if I had to pick I would pick Oauth as this is a generic server to server

[OAUTH-WG] afternoon oauth ietf meeting

Will the 2nd OAuth meeting this afternoon happen in a room with remote support? Are there any options to be able to remotely listen in to this discussion? -William ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Design Team on "OAuth Discovery"

Hi all, today at the face-to-face meeting we decided to create a design team to work on the OAuth discovery spec. This is a short term design team that will report back to the group at the virtual interim meeting end of May/beginning of June. There are three input documents: - OAuth

[OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

Hi all, this is the call for adoption of 'Resource Indicators for OAuth 2.0', see http://datatracker.ietf.org/doc/draft-campbell-oauth-resource-indicators/ Please let us know by April 20th whether you accept / object to the adoption of this document as a starting point for work in the OAuth worki

[OAUTH-WG] OAuth 2.1

Hi all, today we discussed the OAuth Authorization Server Mixup draft. We were wondering what types of threats the document should find solutions for. We discussed various document handling approaches including * OAuth Mix-Up and Cut-and-Paste attacks documented in separate solution documents *

[OAUTH-WG] Meeting Minutes

Leif was so nice to take meeting notes during the OAuth meeting today and they have been uploaded to: https://www.ietf.org/proceedings/95/minutes/minutes-95-oauth Please take a look at them and let me know if they are incorrect or need to be extended. Ciao Hannes signature.asc Description: Ope

[OAUTH-WG] Informal Discussion about Discovery Today at 16:20

Hi all, during the f2f meeting today the suggestion was made to have another informal discussion about OAuth discovery. We are going to meet at 16:20 today at the **IETF registration desk**. William is trying to find a meeting room for us. Please respond to me privately about this event, if you

Re: [OAUTH-WG] Informal Discussion about Discovery Today at 16:20

Wasn't this the task of the design team ? -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, April 6, 2016 10:48 AM To: oauth@ietf.org Subject: [OAUTH-WG] Informal Discussion about Discovery Today at 16:20 Hi all, during the f2f

Re: [OAUTH-WG] Informal Discussion about Discovery Today at 16:20

Hi Tony, we use face-to-face time efficiently to get things moving forward faster. I am sure the design team will still have enough issues to solve. Ciao Hannes On 04/06/2016 07:49 PM, Anthony Nadalin wrote: > Wasn't this the task of the design team ? > > -Original Message- > From: OA

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

I would like to have more discussion before wg adoption. I support the work and am willing to help. Phil > On Apr 6, 2016, at 14:25, Hannes Tschofenig wrote: > > Hi all, > > this is the call for adoption of 'Resource Indicators for OAuth 2.0', see > http://datatracker.ietf.org/doc/draft-cam

Re: [OAUTH-WG] OAuth 2.1

Existing implementations are for the large part ok and do not need these mitigations. Only the new use cases we have been discussing (configure on the fly and multi-as, etc) really need mitigation. The updated by approach seems like a good way to address the new cases. Phil > On Apr 6,

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

Phil, we have discussed this concept already for years. In fact, it dates back to the days of the OAuth base specification and the security consideration section even talks about it. We have had the content of this in the PoP key distribution draft and we are now moving it into a separate documen

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

With the process of immediate wglc I think we should review all documents more thoroughly before adoption. As I said I support the work. Phil > On Apr 6, 2016, at 16:02, Hannes Tschofenig wrote: > > Phil, > > we have discussed this concept already for years. In fact, it dates back > to the

Re: [OAUTH-WG] OAuth 2.1

I'd definitely prefer a single solution document to many little ones that have to be combined to actually build a secure solution. It's already getting complex with the additional specs that have been added. Additionally, I'm not against working on OAuth 2.1. Thanks, George On 4/6/16 2:06 PM,

Re: [OAUTH-WG] Cross-Area Review Request for RDAP Authentication

Folks, this is the sequence of list messages that I mentioned at the end of today's meeting. Nat did reply on January 20th with "It is on my todo list but ...". I really could use affirmation or correction from clueful people... Scott > -Original Message- > From: OAuth [mailto:oauth-bou

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

I support the adoption of this draft by the working group. I don't think an immediate WGLC was expected here. On Wed, Apr 6, 2016 at 4:06 PM, Phil Hunt (IDM) wrote: > With the process of immediate wglc I think we should review all documents > more thoroughly before adoption. > > As I said I sup

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

I would like to see the multiple resources servers, interaction with Token Exchange resolved before this is adopted to see if this will actually solve the problems From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Wednesday, April 6, 2016 12:52 PM To: Phil Hunt (IDM)

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

Multiple resources are there now. I have no idea what "interaction with Token Exchange" means. Can you please explain? On Wed, Apr 6, 2016 at 5:04 PM, Anthony Nadalin wrote: > I would like to see the multiple resources servers, interaction with Token > Exchange resolved before this is adopted t

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

I don’t see anything in the document that allows multiple resource servers where the token can be used. Token Exchange allows delegation and impersonation, so I have no idea of the semantics when I use both of these together From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Wednesd

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

Please read the draft. On Wed, Apr 6, 2016 at 5:16 PM, Anthony Nadalin wrote: > I don’t see anything in the document that allows multiple resource servers > where the token can be used. Token Exchange allows delegation and > impersonation, so I have no idea of the semantics when I use both of th

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

I support adoption by the WG. > On Apr 6, 2016, at 2:25 PM, Hannes Tschofenig > wrote: > > Hi all, > > this is the call for adoption of 'Resource Indicators for OAuth 2.0', see > http://datatracker.ietf.org/doc/draft-campbell-oauth-resource-indicators/ > > Please let us know by April 20th wh

Re: [OAUTH-WG] [scim] Simple Federation Deployment

I'd be interested too On Tue, Apr 5, 2016 at 5:59 PM, Hardt, Dick wrote: > Use case: An admin for an organization would like to enable her users to > access a SaaS application at her IdP. > > User experience: > >1. Admin authenticates to IdP in browser >2. Admin selects SaaS app to feder

Re: [OAUTH-WG] [scim] Simple Federation Deployment

For the record, I’m interested. From: scim [mailto:scim-boun...@ietf.org] On Behalf Of Hardt, Dick Sent: Tuesday, April 5, 2016 7:26 PM To: Phil Hunt (IDM) Cc: s...@ietf.org; oauth@ietf.org Subject: Re: [scim] Simple Federation Deployment I’m talking about removing manual steps in what happens t

Re: [OAUTH-WG] [scim] Simple Federation Deployment

I'm interested in too. nov > On Apr 7, 2016, at 07:14, Mike Jones wrote: > > For the record, I’m interested. > > From: scim [mailto:scim-boun...@ietf.org] On Behalf Of Hardt, Dick > Sent: Tuesday, April 5, 2016 7:26 PM > To: Phil Hunt (IDM) > Cc: s...@ietf.org; oauth@ietf.org > Subject: Re:

[OAUTH-WG] RFC 7800 on Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)

A new Request for Comments is now available in online RFC libraries. RFC 7800 Title: Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) Author: M. Jones, J. Bradley, H. Tschofenig Status: Standards Track

[OAUTH-WG] Call for adoption for draft-wahlstroem-ace-cbor-web-token-00

To: ACE WG Cc: OAuth and COSE WG Hello all, This note begins a Call For Adoption for draft-wahlstroem-ace-cbor-web-token-00 [1] to be adopted as an ACE working group item, and added in the charter. The call ends on April 22, 2016. Keep in mind that adoption of a document does not mean the docume

[OAUTH-WG] Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) is now RFC 7800

The Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) specification is now RFC 7800 - an IETF standard. The abstract describes the specification as: This specification describes how to declare in a JSON Web Token (JWT) that the presenter of the

Re: [OAUTH-WG] Call for adoption for draft-wahlstroem-ace-cbor-web-token-00

+1 for adoption From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of Kepeng Li Sent: Wednesday, April 6, 2016 10:35 PM To: a...@ietf.org Cc: Kathleen Moriarty ; Hannes Tschofenig ; c...@ietf.org; oauth@ietf.org; Stephen Farrell Subject: [Ace] Call for adoption for draft-wahlstroem-ace-cbor-web-

Re: [OAUTH-WG] [Ace] Call for adoption for draft-wahlstroem-ace-cbor-web-token-00

+1 for adoption Sent from my iPhone > On 7 apr. 2016, at 03:34, Kepeng Li wrote: > > To: ACE WG > Cc: OAuth and COSE WG > > Hello all, > > This note begins a Call For Adoption for > draft-wahlstroem-ace-cbor-web-token-00 [1] > to be adopted as an ACE working group item, and added in the char