[OAUTH-WG] draft-ietf-oauth-mtls-14

Draft -14 of "OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens" has been published. The changes in -14 (listed below) are editorial only and aim to provide some additional clarity around some recent small points of confusion and discussion. draft-ietf-oauth-mtls-14

[OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-14.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens Authors : Brian Ca

Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

I am late in the game, but not too late I hope. I would like to see 'aud' be the requesting client_id. For identifying the the target resource, a 'resource' claim should be introduced. I am also suggesting to not introduce 'typ: at+jwt'. It is simply a jwt and the validation process will show if i

Re: [OAUTH-WG] on PKCE for CSRF prevention instead of state parameter

Hi Filip, This is an important point that you raise here. In an ideal world, the client would be able to learn whether the AS supports PKCE or not. My proposal for a normative text would be this: --- If PKCE [@RFC7636] is used by the client and the authorization server supports PKCE, clients MAY

[OAUTH-WG] on PKCE for CSRF prevention instead of state parameter

In Prague we've seen and talked about this point from Torsten's deck > Use PKCE for CSRF prevention instead of state parameter > >- PKCE is mandatory now and can fulfill this additional task >-