Re: [OAUTH-WG] AS Discovery in Distributed Draft

Phil, would you clarify what you are suggesting? I'm unclear if you are disagreeing with George or not. On Thu, Nov 8, 2018 at 4:28 AM Phil Hunt wrote: > I’m seeing broader need for discovery of OAuth infrastructure for APIs in > general now that APIs are being deployed by many parties: > * base

Re: [OAUTH-WG] AS Discovery in Distributed Draft

George: in the WG meeting we discussed this topic of where to put the discovery information. No one at the meeting advocated for using Link response (Nat was the one who was advocating for this). Many others preferred using the www-authenticate header similar to how you propose. On Thu, Nov 8, 201

Re: [OAUTH-WG] AS Discovery in Distributed Draft

There is a requirement in Distributed OAuth for the client to locate one or more AS metadata files for a given resource. On Tue, Nov 6, 2018 at 12:35 PM David Waite wrote: > Is there a need for a client to understand the identity of an > authorization server? > > This would seem to mean that the

[OAUTH-WG] questions on Seamless OAuth 2.0 Client Assertion Grant

Omar As promised, I have reviewed the ID[1] you posted. I'm confused in the Motivation by the references to authentication, as OAuth is about authorization. Perhaps you can post to the list the use case you are trying to solve for? I can infer aspects, but don't fully understand it. >From what I

Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

Thanks for putting this together Aaron.  Having read through the document, I am not as convinced that there is enough of a benefit of Authorization Code + PKCE vs Implict Flow for SPAs. In section 7.8. the document outlines the Implicit flow disadvantages as following: "- OAuth 2.0 provides no

[OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-bcp-04.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : JSON Web Token Best Current Practices Authors : Yaron Sheffer Dick Hardt

Re: [OAUTH-WG] AS Discovery in Distributed Draft

Cool! Sorry I couldn't make the meeting. One benefit of using WWW-Authenticate is that UMA has basically the same discovery logic (from RS to AS) and uses the WWW-Authenticate header. Keeping this discovery method the same (since UMA is just a profile of OAuth anyway) will help all developers.

[OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

Hi Aaron, Thanks for writing up clear guidelines for SPAs. I reviewed the draft and would like to offer some feedback: One important aspect I am missing is a brief discussion on how, in general, SPAs should be implemented; in particular, whether the browser-app exchanges the code for an access to

[OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

Hi Tomek, Am 08.11.18 um 12:19 schrieb Tomek Stojecki: > Thanks for putting this together Aaron.  > > Having read through the document, I am not as convinced that there is enough > of a benefit of Authorization Code + PKCE vs Implict Flow for SPAs. > > In section 7.8. the document outlines the Im

Re: [OAUTH-WG] AS Discovery in Distributed Draft

Dick, I was generally agreeing with George and stating I think we have an emerging *general* OAuth2 discovery problem emerging. Phil Oracle Corporation, Cloud Security and Identity Architect @independentid www.independentid.com phil.h...@oracle.com

Re: [OAUTH-WG] questions on Seamless OAuth 2.0 Client Assertion Grant

Yes, that is correct. I'm sorry the confusion, I think this confusion is built into oauth framework itself. You understood well the scenario - I have an application running on an untrusted device in an untrusted network. I looked for a way to authenticate the requests from the device to AS. Does it

Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps-00

> On Nov 8, 2018, at 4:19 AM, Tomek Stojecki > wrote: > > Thanks for putting this together Aaron. > > Having read through the document, I am not as convinced that there is enough > of a benefit of Authorization Code + PKCE vs Implict Flow for SPAs. > > In section 7.8. the document outlines

Re: [OAUTH-WG] questions on Seamless OAuth 2.0 Client Assertion Grant

More detail on the scenario would help. On Fri, Nov 9, 2018 at 2:04 AM Omer Levi Hevroni wrote: > Yes, that is correct. > I'm sorry the confusion, I think this confusion is built into > oauth framework itself. > You understood well the scenario - I have an application running on an > untrusted d

[OAUTH-WG] JWT BCP updates addressing Area Director review comments

The JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to address the review comments from Security Area Director (AD) Eric Rescorla. Thanks to Eric for the review and to Yaron Sheffer for working on the responses with me. Note that IETF publication has already be