[OAUTH-WG] Feedback on OAuth for browser-based Apps

Hey, Just read the spec - good to see the progress. Some feedback: I am yet undecided if I like the categorisation of the “Application Architecture Patterns”. I definitely want to distinguish between applications only accessing same-site back-end services and “others”. Not sure if “dynamic applic

Re: [OAUTH-WG] Refresh tokens

I left out Okta (how could I?) - it supports a refresh token expiration, but I couldn't find doc on the details. On Sun, Jul 21, 2019 at 10:44 AM Brock Allen wrote: > > IdentityServer allows a choice of behavior on refresh token

[OAUTH-WG] not using oauth for this architecture in oauth for browser based apps.

The advice for the architectural pattern "JavaScript served from a common domain as the resource server" reads: "For simple system architectures, such as when the JavaScript application is served from a domain that can share cookies with the domain of the API (resource server), it may be a better

Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02

Hi Brian! Thanks for the update in -03. The item below is the only thing that remains outstanding. Thanks, Roman From: Roman Danyliw Sent: Wednesday, July 17, 2019 6:05 PM To: Brian Campbell Cc: oauth@ietf.org Subject: RE: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02 From:

[OAUTH-WG] Protocol Action: 'OAuth 2.0 Token Exchange' to Proposed Standard (draft-ietf-oauth-token-exchange-19.txt)

The IESG has approved the following document: - 'OAuth 2.0 Token Exchange' (draft-ietf-oauth-token-exchange-19.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this In

Re: [OAUTH-WG] Transaction Authorization

Hey Justin A few use cases that highlight how the world is different now than it was when OAuth 2.0 was developed would help participants understand why changes are needed, and also provide a reference for comparing and contrasting different approaches. One of my first comments is why the client

Re: [OAUTH-WG] Transaction Authorization

Hi Neil, I agree that an access token that is usable across resources is problematic. How are you thinking multiple access tokens would be returned? Why do you think the request needs to return multiple tokens rather than making a separate request for each token? That would seem to simplify the r

Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)

Thanks On Sun, Jul 21, 2019, 12:31 PM Barry Leiba wrote: > Thanks, Brian! > > Barry > > On Sun, Jul 21, 2019 at 11:43 AM Brian Campbell > wrote: > > > > https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-19 has been > published with the updates discussed in this thread. > > > > On Sun,

Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02

Doh, I got distracted with the registration question and lost track of this fork of the thread. I'll need to do a -04 also (after maybe some more discussion too) before I pass the ball back to the AD. On Wed, Jul 17, 2019, 4:04 PM Roman Danyliw wrote: > Hi Brian! > > > > *From:* Brian Campbell [

Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)

Thanks, Brian! Barry On Sun, Jul 21, 2019 at 11:43 AM Brian Campbell wrote: > > https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-19 has been > published with the updates discussed in this thread. > > On Sun, Jul 21, 2019 at 6:14 AM Brian Campbell > wrote: >> >> That works for me. >

Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)

https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-19 has been published with the updates discussed in this thread. On Sun, Jul 21, 2019 at 6:14 AM Brian Campbell wrote: > That works for me. > > On Sat, Jul 20, 2019 at 10:28 PM Benjamin Kaduk wrote: > >> On Fri, Jul 19, 2019 at 10:05:5

[OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-19.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Token Exchange Authors : Michael B. Jones Anthony Nadalin

Re: [OAUTH-WG] Refresh tokens

> IdentityServer allows a choice of behavior on refresh token expiration time. >It can have a absolute expiration time, or use a sliding window. FWIW, in addition, those can be used together -- sliding & absolute. Finally,  refresh tokens can be re-use or one-time use only. These are all per-clie

[OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-01.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens Author : Vittorio Bertocci File

[OAUTH-WG] I-D Action: draft-ietf-oauth-resource-indicators-03.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : Resource Indicators for OAuth 2.0 Authors : Brian Campbell John Bradley

Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)

That works for me. On Sat, Jul 20, 2019 at 10:28 PM Benjamin Kaduk wrote: > On Fri, Jul 19, 2019 at 10:05:57AM -0600, Brian Campbell wrote: > > On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba > wrote: > > > > > > > > >> — Section 1.1 — > > > >> Given the extensive discussion of impersonation here,