Good Morning All,
We have submitted a draft of our "assisted token flow", which my
colleague, Jacob Ideskog, presented at the OAuth Security Workshop in
Zurich last summer.[1] The submission can be found here:
https://datatracker.ietf.org/doc/draft-ideskog-assisted-token/
Some more detailed slid
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : OAuth 2.0 Security Best Current Practice
Authors : Torsten Lodderstedt
Jo
Hi all,
The new revision contains the following changes:
Completed sections on code leakage via referrer header, attacks in browser,
mix-up, and CSRF
Reworked Code Injection Section
Added reference to OpenID Connect spec
removed refresh token leakage as respective considerations have been given
Hi all,
I just submitted a new draft that Vladimir Dzhuvinov and I have written. It
proposes a JWT-based response type for Token Introspection. The objective is to
provide resource servers with signed tokens in case they need cryptographic
evidence that the AS created the token (e.g. for liabil
Why is TLS to the intospection endpoint not sufficient? Are you thinking there
needs to be some multi-tenancy support of some kind?
-Brock
On 3/18/2018 3:33:16 PM, Torsten Lodderstedt wrote:
Hi all,
I just submitted a new draft that Vladimir Dzhuvinov and I have written. It
proposes a JWT-ba
Hey and Good Morning
I've created a first version of the draft, hope to finish it and send a
draft soon. This is the protocol I'm going to present on Wednesday OAuth WG
meeting. Feedback is highly appreciated - this is the first time I'm
writing a draft.
You can find it here:
https://soluto.github.
