[OAUTH-WG] WGLC on draft-ietf-oauth-mtls-07

All, As discussed during the meeting today, we are starting a WGLC on the MTLS document: *https://tools.ietf.org/html/draft-ietf-oauth-mtls-07 * Please, review the document and provide feedback on any issues you see with the document. The

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-05.txt

Hi Torsten, As we briefly spoke about earlier, "3.8.1. Authorization Server as Open Redirector" could I think be made more explicit. Currently it explicitly mentions the invalid_request and invalid_scope errors must not redirect back to the client's registered redirect uri.

Re: [OAUTH-WG] Publication has been requested for draft-ietf-oauth-device-flow-07

Something to consider in the new security text that’s just occurred to me: If an attacker gets their account tied to a user’s device, there’s a risk that the attacker would potentially be able to get that user’s information as input through the device. Setting aside the obvious alexa-style

[OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-08.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Device Flow for Browserless and Input Constrained Devices Authors : William Denniss

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

And let us not forget about JWS unencoded payload https://tools.ietf.org/html/rfc7797 On Mar 19, 2018 11:41 AM, "Samuel Erdtman" wrote: > Hi, > > Adding an additional proposal to the table. Mike Jones, Anders Rundgren > and I have created a version of JWS there the signed

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

Hi, Adding an additional proposal to the table. Mike Jones, Anders Rundgren and I have created a version of JWS there the signed JSON data does not have to be Base64url encoded (the JSON is signed using ES6 serialization rules). One of the benefits to this approach would be that the introspection

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

+1. This is what I expected. Phil Oracle Corporation, Identity Cloud Services Architect @independentid www.independentid.com phil.h...@oracle.com > On Mar 19, 2018, at 10:16 AM, Torsten Lodderstedt >

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

We explicitly want the token (JSON object) to be signed not the HTTP response. I think using JWS is the most generic way to achieve that goal. > Am 19.03.2018 um 09:57 schrieb Phil Hunt : > > This draft has similar issues to >

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

> Am 18.03.2018 um 20:40 schrieb Brock Allen : > > Why is TLS to the intospection endpoint not sufficient? TLS is sufficient, if AS and RS want to ensure the integrity of the token data (on transit). But there are use cases, where the RS wants evidence (== digital

Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

This draft has similar issues to https://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01 Rather than *try* sign HTTP, a signed JWT object is more reliably returned. Phil > On Mar 19, 2018, at 8:25 AM, LARMIGNAT Louis > wrote: > > Hi, > > The

Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

Hi, The draft Signing HTTP Messages (https://tools.ietf.org/html/draft-cavage-http-signatures-09) could not meet this requirement in a more generic way ? Regards, Louis De : OAuth De la part de Brock Allen Envoyé : dimanche 18 mars 2018 20:40 À : Torsten Lodderstedt

[OAUTH-WG] First version (pre-draft) of OAuth 2.0 seamless protocol

Hey and Good Morning I've created a first version of the draft, hope to finish it and send a draft soon. This is the protocol I'm going to present on Wednesday OAuth WG meeting. Feedback is highly appreciated - this is the first time I'm writing a draft. You can find it here: