Re: [OAUTH-WG] Meeting Minutes

+1 to adopting PAR. For RAR I have a number of questions myself with the approach and with some of the ramifications. I’m most concerned with the coupling of business-specific presentation, process validation and workflow within the AS, but also with the mixing of single transactional approval

[OAUTH-WG] Call for Adoption: OAuth 2.0 Pushed Authorization Requests

All, This is a call for adoption of for the OAuth 2.0 Pushed Authorization Requests document. https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/ There was a good support for this document during the Singapore meeting, and on the mailing list in the Meeting Minutes thread. Please, let

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Pushed Authorization Requests

I support the adoption of PAR. -Daniel Am 17.12.19 um 13:59 schrieb Rifaat Shekh-Yusef: > All, > > This is a call for adoption of for the OAuth 2.0 Pushed Authorization > Requests document. > https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/  > > There was a good support for this docu

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Pushed Authorization Requests

I support the WG adoption of PAR. Best, Filip On Tue, 17 Dec 2019 at 14:01, Daniel Fett wrote: > I support the adoption of PAR. > > -Daniel > > Am 17.12.19 um 13:59 schrieb Rifaat Shekh-Yusef: > > All, > > This is a call for adoption of for the OAuth 2.0 Pushed Authorization > Requests documen

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Pushed Authorization Requests

I support the adoption of PAR. Aaron Parecki On Tue, Dec 17, 2019 at 4:59 AM Rifaat Shekh-Yusef wrote: > All, > > This is a call for adoption of for the OAuth 2.0 Pushed Authorization > Requests document. > https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/ > > There was a good supp

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Pushed Authorization Requests

I support addoption On 12/17/2019 11:01 AM, Aaron Parecki wrote: > I support the adoption of PAR. > > Aaron Parecki > > > On Tue, Dec 17, 2019 at 4:59 AM Rifaat Shekh-Yusef > mailto:rifaat.i...@gmail.com>> wrote: > > All, > > This is a call for adoption of for the OAuth 2.0 Pushed > Au

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Pushed Authorization Requests

I support the adoption of PAR Hans. On Tue, Dec 17, 2019, 22:15 John Bradley wrote: > I support addoption > On 12/17/2019 11:01 AM, Aaron Parecki wrote: > > I support the adoption of PAR. > > Aaron Parecki > > > On Tue, Dec 17, 2019 at 4:59 AM Rifaat Shekh-Yusef > wrote: > >> All, >> >> This i

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Pushed Authorization Requests

I support adoption of PAR On Tue, Dec 17, 2019 at 7:41 AM Hans Zandbelt wrote: > I support the adoption of PAR > > Hans. > > On Tue, Dec 17, 2019, 22:15 John Bradley wrote: > >> I support addoption >> On 12/17/2019 11:01 AM, Aaron Parecki wrote: >> >> I support the adoption of PAR. >> >> Aaron

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Pushed Authorization Requests

+1 for the PAR spec adoption. We were in fact so pleased with PAR that next week we'll be making it available for production use, based on draft-lodderstedt-oauth-par-01. If we had any questions during the implementation, they were addressed in -01. The spec is feature complete IMHO. Vladimir On

[OAUTH-WG] Recommendations for OAuth in browsers

At our company we're developing REST apis. One of the things that are pretty important to us, is developers being able to access the REST apis directly, via their browsers.Our systems typically have a middleware that converts generated hal+JSON to a HTML interface for easily browsable. When using

[OAUTH-WG] (no subject)

___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Pushed Authorization Requests

I support the adoption of PAR > On Dec 17, 2019, at 5:59 AM, Rifaat Shekh-Yusef wrote: > > All, > > This is a call for adoption of for the OAuth 2.0 Pushed Authorization > Requests document. > https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/ >

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Pushed Authorization Requests

+1 On Tue, Dec 17, 2019 at 11:13 AM David Waite wrote: > I support the adoption of PAR > > On Dec 17, 2019, at 5:59 AM, Rifaat Shekh-Yusef > wrote: > > All, > > This is a call for adoption of for the OAuth 2.0 Pushed Authorization > Requests document. > https://datatracker.ietf.org/doc/draft-lo

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-03.txt

Hi Torsten! > > just to make sure I understood correctly. Are you saying the client has > credentials but is not authenticated using those in all potential > scenarios? Can you pls. explain the rationale? Yes, that's the scenario. In Azure AD you create an app registration that generates a client

Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: I-D Action: draft-ietf-oauth-access-token-jwt-03.txt

> > The one-RS-per-AT model is an ideal that simply doesn’t match reality. That's a pretty strong statement :) I have worked with a very large number of developers, on a very large number of applications. I don't dispute that your experience might be different, but the one AT per RS is daily reali

Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: I-D Action: draft-ietf-oauth-access-token-jwt-03.txt

> Am 17.12.2019 um 21:03 schrieb Vittorio Bertocci > : > >  >> The one-RS-per-AT model is an ideal that simply doesn’t match reality. > That's a pretty strong statement :) I have worked with a very large number of > developers, on a very large number of applications. I don't dispute that yo

Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: I-D Action: draft-ietf-oauth-access-token-jwt-03.txt

> > we should not design fundamental specs that mandate its adoption. Thanks for clarifying! Here I go back to the intent, which is to provide an interoperable projection of ATs in JWT. I think it's reasonable for an interop profile to focus on the simplest case, which also happens to reflect the

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Pushed Authorization Requests

+1 野村総合研究所　IT基盤技術戦略室 上席研究員　崎村夏彦 E: n-sakim...@nri.co.jp T: +81(90)60136276 - このメールには、本来の宛先の方のみに限定された機密情報が含まれている場合がございます。お心あたりのない場合は、送信者にご連絡のうえ、このメールを削除してくださいますようお願い申し上げます。 PLEASE READ:This e-mail is confidential and intended for the named rec

Re: [OAUTH-WG] Recommendations for OAuth in browsers

there's: https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps that mentions handing OAuth through a backend component in: https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-02#section-6.2 There's an implementation of such a backend in a module for the Apache webserver

Re: [OAUTH-WG] JWT Secured Authorization Request (JAR) vs OIDC request object

So, no change is OK? On Wed, Dec 11, 2019 at 10:01 PM John Bradley wrote: > I also slightly prefer the merge approach. > > There are plusses and minuses to both. > > Changing again now that it is past ISEG review and backing out a Discuss > will add another three to six months at this point, if

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-03.txt

Hi Vittorio! At HelseID we indicate the method that was used for client authentication in our ATs. For us, this is the case both with or without a user. If the client used a client-assertion for authentication we would give some indication about the key material that was used. In our case that wou