Re: [OAUTH-WG] Recommendations for OAuth 2.0 with Browser-Based Apps

2019-05-08 Thread David Waite
> On May 8, 2019, at 1:37 AM, Emond Papegaaij wrote: > > On maandag 6 mei 2019 22:42:09 CEST David Waite wrote: >> On May 6, 2019, at 1:42 PM, Emond Papegaaij > >> You could also trigger re-authorization with a user click, thus allowing >> opening the AS in a new window or tab. Once back on

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

2019-05-08 Thread Vittorio Bertocci
One case I have seen back in the AAD days was when a RS wants to authorize calls from specific clients. In there a client can act both as confidential and as public client, and in the case of public client the client_id can be reused by any app really - hence just looking at the client_id in the in

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

2019-05-08 Thread Vladimir Dzhuvinov
On 08/05/2019 11:57, Neil Madden wrote: > Why does the RS need to know if the subject is a client vs a user? I suspect > the answers to that question are about as problematic as the RS needing to > know about the grant type. I have the exact same question. Could someone comment on that? I cann

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

2019-05-08 Thread George Fletcher
Maybe this is a dumb question, but why would an AS allow a client to register it's own client_id rather than issuing the client a client_id within the namespace of the AS? Also, a client_id or sub should NEVER be treated as unique without the context of the issuer. In that regard, the AS (as T

Re: [OAUTH-WG] Transaction Authorization with OAuth

2019-05-08 Thread George Fletcher
George:: Again, I would want the transaction requirements to be part of the API not part of the scope. In my mind, the authorization token should convey the client is authorized to perform a set of actions (capabilities) and then the API parameters define the exact details

Re: [OAUTH-WG] OAuth security topics

2019-05-08 Thread Torsten Lodderstedt
You are right. May I ask you to propose text (threat description, advice, ...) to be included in the BCP? > On 7. May 2019, at 13:23, Neil Madden wrote: > > The same issue applies to token introspection responses though. > >> On 7 May 2019, at 12:21, Torsten Lodderstedt wrote: >> >> Hi Neil

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

2019-05-08 Thread Torsten Lodderstedt
An AS (and also an OP) MUST ensure uniqueness of any id that may end up in a “sub". OpenID Connect even states that explicitly. That way the recipient of the data (token, assertion, introspection response, …) does not need to know anything about account types. Having the same sub value for a u

Re: [OAUTH-WG] Recommendations for OAuth 2.0 with Browser-Based Apps

2019-05-08 Thread Thomas Broyer
On Wed, May 8, 2019 at 9:38 AM Emond Papegaaij wrote: > In our case or AS might have to federate the authentication to some other > AS, > that would only work in an iframe. Therefore, I think we will go for the > OIDC > prompt=none in a hidden iframe. I'm not sure what to do if the AS reports > t

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

2019-05-08 Thread Neil Madden
Why does the RS need to know if the subject is a client vs a user? I suspect the answers to that question are about as problematic as the RS needing to know about the grant type. I’m not a fan of the client_credentials grant, better off using a real service account in most cases. Hopefully no n

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

2019-05-08 Thread Vladimir Dzhuvinov
This is an excellent security point. I also imagine that in "federated" cases an RS could have its own subject scheme / namespace, distinct from the one at the AS, including for clients acting on their own behalf. Vladimir On 07/05/2019 11:37, Neil Madden wrote: > I wasn’t at IIW so I may be mis

Re: [OAUTH-WG] MTLS vs. DPOP

2019-05-08 Thread Hannes Tschofenig
Hi Ben, > I've forgotten the details of those two documents, but in the general case, > if there's a WG document that is no longer actively being worked on (or is > now believed to be a bad idea), the chairs can pretty easily get a new rev > posted that has a "tombstone" notice, like "this docu

Re: [OAUTH-WG] MTLS and Native apps Best practices

2019-05-08 Thread David Waite
> On May 7, 2019, at 8:02 AM, John Bradley wrote: > > I believe that for a native app to use mtls via a chrome custom tab or Safari > view controller you need to provision a certificate and private key to the > system keystore. It is not something that can happen dynamically from the > app

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

2019-05-08 Thread Vladimir Dzhuvinov
On 07/05/2019 11:48, Vittorio Bertocci wrote: > name > TBD given that sub_type is taken already Meaning that it cannot be used in a AT as JWT? What spec is that? Thanks, Vladimir -- Vladimir Dzhuvinov ___ OAuth mailing list OAuth@ietf.org https://w

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

2019-05-08 Thread Vladimir Dzhuvinov
grant_type would be horrible for RS developers to deal with, just to find out whether "sub" effectively == "client_id". Why? * RS developers will need to learn more OAuth stuff - there are better ways to motivate people than that :) * The OAuth grant types are unbounded. If at some point

Re: [OAUTH-WG] Recommendations for OAuth 2.0 with Browser-Based Apps

2019-05-08 Thread Emond Papegaaij
Hi, Thanks for your detailed reply. I've replied inline. On maandag 6 mei 2019 22:42:09 CEST David Waite wrote: > On May 6, 2019, at 1:42 PM, Emond Papegaaij wrote: > > For a browser-based app, we try to follow the recommendations set in > > draft- > > ietf-oauth-browser-based-apps-01. This doe

Re: [OAUTH-WG] MTLS vs. DPOP

2019-05-08 Thread Torsten Lodderstedt
Hi Karl, > On 7. May 2019, at 22:42, Karl McGuinness wrote: > > 1) You often need to deploy your cloud edge load balancer in TCP mode and > handle your own TLS termination if you want client authentication. I like that option since it gives end2end transport security for your application. Un