>> John Bradley sang a few notes from the Sound of Music to end the meeting.
Were the hills alive? :)
-gil
-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Thursday, April 7, 2016 3:14 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Meeting
While this work addresses a gap in the existing OAuth specification set, I am
very concerned that this
incremental extension will lead to even more confusion around the areas of
“scope”, “audience” and “resource server”.
I think we should try to solve this problem via a framework that provides
I support adoption of this document as a starting point for working group work.
— Justin
> On Apr 6, 2016, at 1:25 PM, Hannes Tschofenig
> wrote:
>
> Hi all,
>
> this is the call for adoption of 'Resource Indicators for OAuth 2.0', see
>
Fair points. I also think this is an area where good online documentation,
and books like *OAuth 2 in Action* can help, and possibly help a lot sooner.
On Thu, Apr 7, 2016 at 4:15 PM, Adam Lewis wrote:
> +1
>
> I will not comment on the timeline for this, but
+1
I will not comment on the timeline for this, but I will passionately
endorse the need for an OAuth 2.1 spec.
Speaking as somebody who now has spent years advocating for, and building
out public safety / first responder architectures built on an OAuth 2.0
architecture, I can say 2 things with
And what about code injection and open redirectors? I think we already have a
lot of deployment experience that should be used to evolve the spec.
Sent by MailWise – See your emails as clean, short chats.
Originalnachricht
Betreff: Re: [OAUTH-WG] OAuth 2.1
Von: "Phil Hunt
I think there are already years of implementation and experience since 2.0
If we wait until all the outstanding issues and new features have had
implementations and experience, we will never do a 2.1 as there continues to be
new things.
I would suggest a 2.1 be a clean, simple document of the
Yes - an intentionally conservative, implementation- and experience-driven path.
Revising OAuth 2.0 is a *big deal*. We shouldn't even be talking about it
until we've completed steps 1-5 below - *including* the "iterate" step, as
necessary. If we get this wrong, we'll fragment OAuth, which is
Hi Mike,
in my opinion, you described a possible path towards 2.1. Would you agree?
best regards,
Torsten.
> Am 07.04.2016 um 13:38 schrieb Mike Jones :
>
> I am strongly against creating a 2.1 spec until we have at least a year of
> deployment experience with the
Hi Tony,
I'm not saying we need to define scopes or scope values. These are certainly
application/API specific.
Here are the issues I see:
- Namespaces: there is no guidance on how to prevent clashes among scopes for
different applications. Say we had used the scope value "email" for our email
I thought that the meeting yesterday afternoon replaced the dinner tonight.
I don't have any diner info for after bits and bites.
On Apr 7, 2016 1:04 PM, "Hardt, Dick" wrote:
> Confirming we are still gathering for dinner tonight (Thursday) and
> wondering when / where we will
The primary critique of OAuth 2.0 right now is that simply reading and
implementing the spec does not guarantee interoperable implementations. If
there is going to be a new OAuth 2.1 version, then it only makes sense to
go through that effort if it will actually lead to interoperable
+1 on a 2.1 version
-1 on defining scopes more precisely in 2.1
Sent from my iPhone
> On 7 apr. 2016, at 14:46, Anthony Nadalin wrote:
>
> I don't belive that scopes should be defined more precisely as this
> opaqueness was a design feature, I'm not seeing the reason
Confirming we are still gathering for dinner tonight (Thursday) and wondering
when / where we will meet.
— Dick
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
I don't belive that scopes should be defined more precisely as this opaqueness
was a design feature, I'm not seeing the reason why scopes need to be defined,
as these are application specific.
-Original Message-
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Torsten
Congratulations! And what an RFC number ;-)
> Am 06.04.2016 um 23:14 schrieb Mike Jones :
>
> The Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
> specification is now RFC 7800 – an IETF standard. The abstract describes the
> specification as:
>
>
Surprisingly ;-), I kind of agree with Tony.
We need to hash out the requirements more fully.
Nat
2016-04-06 17:16 GMT-03:00 Anthony Nadalin :
> I don’t see anything in the document that allows multiple resource servers
> where the token can be used. Token Exchange
Count me in !
> 7 apr. 2016 kl. 01:17 skrev Nov Matake :
>
> I'm interested in too.
>
> nov
>
> On Apr 7, 2016, at 07:14, Mike Jones wrote:
>
>> For the record, I’m interested.
>>
>> From: scim [mailto:scim-boun...@ietf.org] On Behalf Of
+1 for adoption
Sent from my iPhone
> On 7 apr. 2016, at 03:34, Kepeng Li wrote:
>
> To: ACE WG
> Cc: OAuth and COSE WG
>
> Hello all,
>
> This note begins a Call For Adoption for
> draft-wahlstroem-ace-cbor-web-token-00 [1]
> to be adopted as an ACE working
19 matches
Mail list logo