Re: [OAUTH-WG] Refresh tokens

I left out Okta (how could I?) - it supports a refresh token expiration, but I couldn't find doc on the details. On Sun, Jul 21, 2019 at 10:44 AM Brock Allen wrote: > > IdentityServer allows a choice of behavior on refresh token

[OAUTH-WG] not using oauth for this architecture in oauth for browser based apps.

The advice for the architectural pattern "JavaScript served from a common domain as the resource server" reads: "For simple system architectures, such as when the JavaScript application is served from a domain that can share cookies with the domain of the API (resource server), it may be a

Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02

Hi Brian! Thanks for the update in -03. The item below is the only thing that remains outstanding. Thanks, Roman From: Roman Danyliw Sent: Wednesday, July 17, 2019 6:05 PM To: Brian Campbell Cc: oauth@ietf.org Subject: RE: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02

[OAUTH-WG] Protocol Action: 'OAuth 2.0 Token Exchange' to Proposed Standard (draft-ietf-oauth-token-exchange-19.txt)

The IESG has approved the following document: - 'OAuth 2.0 Token Exchange' (draft-ietf-oauth-token-exchange-19.txt) as Proposed Standard This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Benjamin Kaduk and Roman Danyliw. A URL of this

Re: [OAUTH-WG] Transaction Authorization

Hey Justin A few use cases that highlight how the world is different now than it was when OAuth 2.0 was developed would help participants understand why changes are needed, and also provide a reference for comparing and contrasting different approaches. One of my first comments is why the client

Re: [OAUTH-WG] Transaction Authorization

Hi Neil, I agree that an access token that is usable across resources is problematic. How are you thinking multiple access tokens would be returned? Why do you think the request needs to return multiple tokens rather than making a separate request for each token? That would seem to simplify the

Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)

Thanks On Sun, Jul 21, 2019, 12:31 PM Barry Leiba wrote: > Thanks, Brian! > > Barry > > On Sun, Jul 21, 2019 at 11:43 AM Brian Campbell > wrote: > > > > https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-19 has been > published with the updates discussed in this thread. > > > > On

Re: [OAUTH-WG] Refresh tokens

> IdentityServer allows a choice of behavior on refresh token expiration time. >It can have a absolute expiration time, or use a sliding window. FWIW, in addition, those can be used together -- sliding & absolute. Finally,  refresh tokens can be re-use or one-time use only. These are all

[OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-01.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens Author : Vittorio Bertocci

[OAUTH-WG] I-D Action: draft-ietf-oauth-resource-indicators-03.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : Resource Indicators for OAuth 2.0 Authors : Brian Campbell John Bradley

Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)

That works for me. On Sat, Jul 20, 2019 at 10:28 PM Benjamin Kaduk wrote: > On Fri, Jul 19, 2019 at 10:05:57AM -0600, Brian Campbell wrote: > > On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba > wrote: > > > > > > > > >> — Section 1.1 — > > > >> Given the extensive discussion of impersonation here,