Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

Hi Neil and Torsten I agree that the risk is about token theft / leakage. My understanding is that we should assume that at some point access tokens will be leaked, e.g.Facebook: https://auth0.com/blog/facebook-access-token-data-breach-early-look/ If access tokens were cryptographically sender-co

Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

Hi Dave, > On 25 Nov 2019, at 08:28, Dave Tonge wrote: > > Hi Neil and Torsten > > I agree that the risk is about token theft / leakage. My understanding is > that we should assume that at some point access tokens will be leaked, > e.g.Facebook: > https://auth0.com/blog/facebook-access-token

Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

Hi Neil, > On 25. Nov 2019, at 12:38, Neil Madden wrote: > > But for web-based SPAs and so on, I'm not sure the cost/benefit trade off is > really that good. The biggest threat for tokens being stolen/misused is still > XSS, and DPoP does nothing to protect against that. It also doesn't prote

Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

On 25 Nov 2019, at 12:09, Torsten Lodderstedt wrote: > > Hi Neil, > >> On 25. Nov 2019, at 12:38, Neil Madden wrote: >> >> But for web-based SPAs and so on, I'm not sure the cost/benefit trade off is >> really that good. The biggest threat for tokens being stolen/misused is >> still XSS, an

Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

+1 -Jared Skype:jaredljennings Signal:+1 816.730.9540 WhatsApp: +1 816.678.4152 On Mon, Nov 25, 2019 at 8:08 AM Neil Madden wrote: > On 25 Nov 2019, at 12:09, Torsten Lodderstedt > wrote: > > > > Hi Neil, > > > >> On 25. Nov 2019, at 12:38, Neil Madden > wrote: > >> > > Do you think we shoul

Re: [OAUTH-WG] authorization code injection - draft-ietf-oauth-security-topics-13

Am 16.11.19 um 14:28 schrieb Aaron Parecki: > Thanks for the reply. You're right, PKCE requires maintaining > application state as well, and does solve the main worry I have. > > However I think there is still something more. I guess my concern is > around the specific wording: > >> in this case, '

Re: [OAUTH-WG] authorization code injection - draft-ietf-oauth-security-topics-13

Works for me, sounds like that clears up the confusion I am worried about. Aaron On Mon, Nov 25, 2019 at 7:12 AM Daniel Fett wrote: > Am 16.11.19 um 14:28 schrieb Aaron Parecki: > > Thanks for the reply. You're right, PKCE requires maintaining > application state as well, and does solve the ma

Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

I agree, the Facebook issue had nothing to do with extracting access tokens via a hack, it was entirely facebook’s fault for issuing access tokens improperly in the first place. They posted some amazing details on what happened on their website. https://about.fb.com/news/2018/09/security-update/

[OAUTH-WG] Meeting minutes from IETF106

Are the meeting minutes posted anywhere? I haven’t been able to find a link to them yet. Thanks! Aaron -- Aaron Parecki aaronparecki.com @aaronpk ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listin

Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

> On 25. Nov 2019, at 17:06, Aaron Parecki wrote: > > I agree, the Facebook issue had nothing to do with extracting access tokens > via a hack, it was entirely facebook’s fault for issuing access tokens > improperly in the first place. They posted some amazing details on what > happened on t

Re: [OAUTH-WG] WGLC review of draft-ietf-oauth-security-topics-13

Hi Guido, thanks for the feedback! I incorporated most of it into the next version. Some comments: Am 22.11.19 um 18:00 schrieb Guido Schmitz: > * Section 3.1, Third Paragraph, Section 4.7, and other places throughout > the document: (Please excuse that the following might be a bit > nitpicking

Re: [OAUTH-WG] WGLC review of OAuth 2.0 Security Best Current Practice by Mike Jones

On Fri, Nov 22, 2019 at 11:46 PM Benjamin Kaduk wrote: > On Wed, Nov 20, 2019 at 03:40:34AM +, Mike Jones wrote: > > SUBSTANTIVE > > > [...] > > > > 4.8.1.1. Metadata - This section suggests the use of a > "resource_servers" metadata value. This isn't defined by RFC 8414 nor do I > see it th

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-rar-03.txt

On Sun, Nov 24, 2019 at 8:18 PM Ryan Kelly wrote: > > > The "matches as prefix of one of the URLs" part of Paragraph 3 seems a >> bit unclear as well, given that there is no requirement that the >> "locations" elements be well-formed URLs. Is this is simple string prefix >> match, or some sort of

Re: [OAUTH-WG] WGLC review of OAuth 2.0 Security Best Current Practice by Mike Jones

+1. We should only discuss solutions if we would be okay with people actually implementing them. (See also my feedback to Guido's review.) -Daniel Am 25. November 2019 20:41:45 MEZ schrieb Brian Campbell : >On Fri, Nov 22, 2019 at 11:46 PM Benjamin Kaduk wrote: > >> On Wed, Nov 20, 2019 at 03:

Re: [OAUTH-WG] WGLC review of OAuth 2.0 Security Best Current Practice by Mike Jones

+1, I'm only comfortable making recommendations in this BCP if they are in fact, the best current practice. In my mind that means nothing aspirational, only things that are well established and that people can act on today. Aaron Parecki aaronparecki.com On Mon, Nov 25, 2019 at 12:50 PM Dan

Re: [OAUTH-WG] WGLC review of OAuth 2.0 Security Best Current Practice by Mike Jones

Parts of the text in section 4 capture discussions of potential solutions and reasons why we decided in favor of a certain solution. I think this will be useful in the future and it has already proven useful for me, e.g. in the recent discussions around PoP vs audience restriction. > Am 25.11.2

Re: [OAUTH-WG] WGLC review of OAuth 2.0 Security Best Current Practice by Mike Jones

Am 25.11.19 um 23:02 schrieb Torsten Lodderstedt: > Parts of the text in section 4 capture discussions of potential solutions and > reasons why we decided in favor of a certain solution. I think this will be > useful in the future and it has already proven useful for me, e.g. in the > recent dis