[OAUTH-WG] Question regarding RFC 7800

2019-04-05 Thread Robert Lembree
Hello folks, What is the status of RFC 7800? We’re finding the need for this, and wonder what we might be able to do to help move this along? Regards, rob -- Robert Lembrée Lead Cybersecurity Architect Innovation & Technology Industrial Automation Business Schneider Ele

[OAUTH-WG] Possible help with product design

2019-04-05 Thread Milind Nikam
Dear Team, We are in a process of architecting the web project with the technology stack as Angular 7 & .NET Core 2.2. We wanted to implement token, So we did some research and finalized OAuth 2.0 & JWT would be the platform. However, I am new to OAuth 2.0. and even also JWT. So I need possible he

[OAUTH-WG] Possible help with product design

2019-04-05 Thread Milind Nikam
Dear Team, We are in a process of architecting the web project with the technology stack as Angular 7 & .NET Core 2.2. We wanted to implement token, So we did some research and finalized OAuth 2.0 & JWT would be the platform. However, I am new to OAuth 2.0. and even also JWT. So I need possibl

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

2019-04-05 Thread Binningsbø , Jørgen
Hi, We have a machine-to-machine scenario where clients, RSes and our AS all belong to different legal entities. Some RSes require their clients to limit the access token to a specific Resource Owner, while other RSes don't. In the former case, we use 'sub' to identify that Resource Owner.

[OAUTH-WG] CORS and the Device Authorization Grant (device flow)

2019-04-05 Thread Filip Skokan
Hello *, I recall implementing an early draft of this flow few years ago for a client landscape composed primarily of older set-top boxes, old and new TV models of various brands (LG, Samsung, Sony) and also HbbTV standards 1.5 and 2.0. I remember having to set up CORS on both the device authoriz

Re: [OAUTH-WG] MTLS and SAN

2019-04-05 Thread Jim Willeke
I may not be completely up to date in this discussion, However, RFC 6125 "In general, *this specification recommends and prefers* use of subjectAltName entries (DNS-ID, SRV-ID, URI-ID, etc.) over use of the subject field (CN-ID) where possible,