Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Incremental Authorization

+1 On Thu, Apr 19, 2018 at 3:28 AM Richard Backman, Annabelle < richa...@amazon.com> wrote: > I support adoption of OAuth 2.0 Incremental Authorization as a WG document. > > > > -- > > Annabelle Richard Backman > > Amazon – Identity Services > > > > *From: *OAuth on

Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12

draft -13 was just published with these changes On Mon, Apr 23, 2018 at 2:15 PM, George Fletcher wrote: > +1 > > > On 4/23/18 3:13 PM, Brian Campbell wrote: > > I just noticed/remembered that the draft also currently defines a "cid" > claim for the client identifier where

[OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-13.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Token Exchange Authors : Michael B. Jones Anthony Nadalin

Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12

+1 On 4/23/18 3:13 PM, Brian Campbell wrote: I just noticed/remembered that the draft also currently defines a "cid" claim for the client identifier where Introspection's RFC 7662 already uses "client_id" for the same thing. The reason for using "cid" was similar in that I was looking to

Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12

+1 From: Brian Campbell Sent: Monday, April 23, 2018 12:13 PM To: Torsten Lodderstedt Cc: Mike Jones ; oauth Subject: Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12 I just

Re: [OAUTH-WG] Follow up on draft-ietf-oauth-device-flow-08

https://tools.ietf.org/html/draft-ietf-oauth-device-flow-09 Sections 5.2 and 5.3 contain the confused deputy attack updates described in John’s response during London. -- Mike From: Eric Rescorla Sent: Friday,

Re: [OAUTH-WG] First look at: draft-ietf-oauth-device-flow

Hi Ekr, https://tools.ietf.org/html/draft-ietf-oauth-device-flow-09 Sections 5.2 and 5.3 have been updated as proposed below. -- Mike From: John Bradley Sent: Monday, March 19, 2018 9:23 AM To: Eric Rescorla

[OAUTH-WG] OAuth Device Flow spec addressing Area Director comments

The OAuth 2.0 Device Flow for Browserless and Input Constrained Devices specification has been updated to address feedback by Security Area Director Eric Rescorla about the potential of a confused deputy attack. Thanks to John Bradley for helping work out the

Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12

I just noticed/remembered that the draft also currently defines a "cid" claim for the client identifier where Introspection's RFC 7662 already uses "client_id" for the same thing. The reason for using "cid" was similar in that I was looking to follow the semi-convention of JWT using three letter

Re: [OAUTH-WG] Call for Adoption: Reciprocal OAuth

As the author, I support the adoption. Do we have consensus now? On Tue, Apr 17, 2018 at 1:18 PM, William Denniss wrote: > +1, I support the adoption of this document. > > I've encountered this problem in the wild for account linking scenarios, > and I think it would be

Re: [OAUTH-WG] Initial JSON Web Token Best Current Practices Draft

Hi Neil, Thank you again for your review and the follow up. Please see my comments in-line. ‏Yaron Hi Mike, I sent this originally back in June last year, I can see some of these points have been addressed in -01, but not others, so I will include further comments in-line below.

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-mtls-07

That's pretty much in line with my on-the-fence position on it. On Fri, Apr 20, 2018 at 4:43 PM, Justin Richer wrote: > Additional confirmation methods can be easily defined outside of this > draft. That said, I think those two in particular are pretty > straightforward to add