Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metadata

2020-01-06 Thread Filip Skokan
We've been discussing making the following change to the language The AS SHOULD validate the request in the same way as at the authorization > endpoint. The AS MUST ensure that all parameters to the authorization > request are still valid at the time when the request URI is used. > This would

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Rich Authorization Requests

2020-01-06 Thread Jim Willeke
I support adoption. -- -jim Jim Willeke On Mon, Jan 6, 2020 at 3:36 PM Dick Hardt wrote: > I support adoption > ᐧ > > On Mon, Jan 6, 2020 at 12:32 PM Richard Backman, Annabelle 40amazon@dmarc.ietf.org> wrote: > >> I support adoption. >> >> >> >> – >> >> Annabelle Richard Backman >> >> AWS

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Rich Authorization Requests

2020-01-06 Thread Dick Hardt
I support adoption ᐧ On Mon, Jan 6, 2020 at 12:32 PM Richard Backman, Annabelle wrote: > I support adoption. > > > > – > > Annabelle Richard Backman > > AWS Identity > > > > > > *From: *OAuth on behalf of John Bradley < > ve7...@ve7jtb.com> > *Date: *Monday, January 6, 2020 at 12:05 PM > *To:

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Rich Authorization Requests

2020-01-06 Thread John Bradley
I support adoption On 1/6/2020 4:37 PM, Rifaat Shekh-Yusef wrote: > All, > > This is a call for adoption for the *OAuth 2.0 Rich Authorization > Requests* document. > https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/  >   > Please, let us know if you support or object to the adoption

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Rich Authorization Requests

2020-01-06 Thread Filip Skokan
I support the WG adoption of RAR. Best, *Filip* On Mon, 6 Jan 2020 at 20:38, Rifaat Shekh-Yusef wrote: > All, > > This is a call for adoption for the *OAuth 2.0 Rich Authorization > Requests* document. > https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/ > > Please, let us know if

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Rich Authorization Requests

2020-01-06 Thread Aaron Parecki
I support the adoption of this document. Aaron Parecki aaronparecki.com On Mon, Jan 6, 2020 at 11:38 AM Rifaat Shekh-Yusef wrote: > > All, > > This is a call for adoption for the OAuth 2.0 Rich Authorization Requests > document. >

[OAUTH-WG] Call for Adoption: OAuth 2.0 Rich Authorization Requests

2020-01-06 Thread Rifaat Shekh-Yusef
All, This is a call for adoption for the *OAuth 2.0 Rich Authorization Requests* document. https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-rar/ Please, let us know if you support or object to the adoption of this document as a working group document by Jan 20th. Regards, Rifaat &

Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC response types + form_post response mode

2020-01-06 Thread Daniel Fett
Am 03.01.20 um 11:33 schrieb Torsten Lodderstedt: > Hi Brian, > > I’m on the fence regarding your proposal. > > What I like is it moves the focus onto leakage prevention and prevention of > injection in the authorization response, which are the direct threats to the > front channel flow.

Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC response types + form_post response mode

2020-01-06 Thread Daniel Fett
Am 27.12.19 um 23:27 schrieb Filip Skokan: > Encrypted JARM responses are in a very similar position. Access Token > value is not part of the URL and the response itself is protected. > Such response is usually only consumed by a server side application. > Same as any form_post response. The

Re: [OAUTH-WG] PAR metadata

2020-01-06 Thread Neil Madden
Agreed. In addition, I'm not sure why the PAR endpoint would need access to the decryption keys at all. If you're using encrypted request objects then the PAR endpoint receives an encrypted JWT and then later makes the same (still encrypted) JWT available to the authorization endpoint. If the

Re: [OAUTH-WG] PAR metadata

2020-01-06 Thread Brian Campbell
I really struggle to see the assumption that an entity be able to use the same key to decrypt the same type of message ultimately intended for the same purpose as an artificial limit. The same general assumption underlies everything else in OAuth/OIDC (Vladimir's post points to some but not all

Re: [OAUTH-WG] JWT Secured Authorization Request (JAR) vs OIDC request object

2020-01-06 Thread Takahiko Kawasaki
Apparently, the description in the JAR spec has made some AS implementers, at least Vladimir - Connect2id and Filip - node-oidc-provider, decide to devise a workaround, and the approach (preparing a configuration switch) is attracting Taka (me) - Authlete, too. This may be a typical answer by AS

Re: [OAUTH-WG] JWT Secured Authorization Request (JAR) vs OIDC request object

2020-01-06 Thread Filip Skokan
I don't think we have the separation of OAuth and non-OAuth parameters and let's please not. Even OIDC parameters are part of the OAuth parameters registry and I cannot imagine the hardship if we were to explain