Re: [OAUTH-WG] Secdir last call review of draft-ietf-oauth-access-token-jwt-11

On Sat, Feb 20, 2021 at 12:42 AM Vittorio Bertocci < vittorio.berto...@auth0.com> wrote: > Thank you Joseph for your comments! > > [Joe] Thanks for your response, comments inline below: > > 1. (Editorial) What is the relationship between this document and RFC > 7523. > > They are using JWT

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

On Thu, Feb 25, 2021, at 02:18, Justin Richer wrote: > I agree that the NxM problem is the purview of the whole IETF, but it’s > something that we’re particularly interested in over in GNAP. As the editor > of OAuth’s dynamic registration extension and the GNAP core protocol, I hope > I can add

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

One thing that this thread is overlooking (Hannes and others have mentioned it) is that OAuth is an *authorization* protocol not intended for authentication. OAuth is not really for federation and sharing of claims. The idea is for an authz server to issue short term tokens that contain

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

Justin Richer wrote: > From a technical standpoint, OAuth’s dynamic client registration lets > arbitrary clients talk to an AS, but the trust isn’t there in > practice. As an example of a fail even in a closed ecosystem: neither Google nor Facebook nor LinkedIn nor .. permit one to

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

I'll add just one more thing here, even if the protocol exists, the clarity, and was supported, I'm not sure that it would even be that widely used. Thinking about this from the user perspective, I just can't imagine how many would really choose to even need or want to set up these other

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

The OAuth work has successfully built a perfectly reasonable syntax and protocol for exchanging identity and attribute assertions, and that's fine. What it hasn't done is opened up the world of Identity Provision, but that's not a technical problem. OAuth flowed out of OpenID back in the day.

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

I didn't mean to imply "you" were writing it off and you are probably right technology may not be able to solve it, I was just looking for ways we might help? -- -jim Jim Willeke On Wed, Feb 24, 2021 at 10:21 AM Aaron Parecki wrote: > > Sure, you could write it off as "a business problem" but

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

> Sure, you could write it off as "a business problem" but I did not mean to suggest that I was *writing it off* as a business problem. It *is* a very real problem, and I would very much like to see a solution, however based on my experience it is not something that technology will solve. This

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

I agree that the NxM problem is the purview of the whole IETF, but it’s something that we’re particularly interested in over in GNAP. As the editor of OAuth’s dynamic registration extension and the GNAP core protocol, I hope I can add to this conversation. From a technical standpoint, OAuth’s

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

But in reality, Just "because the technology" is there there leaves out the practicality of creating a secure implementation. Sure, you could write it off as "a business problem" but many of the developers are small and not unusually single person operations that do not have the resources to

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

> You type your email address into {The Bat} to begin configuration. {The Bat} does discovery [1][2] to locate the OAuth/OIDC server for {My ISP}. The discovery document reveals that {My ISP} supports open dynamic client registration [3][4] so {The Bat} registers and gets issued with a client id

Re: [OAUTH-WG] subdomain

the credentials in the clear. > >> > >> We're a little better mostly these days, but it's still a tirefire, and > in my heart I do hold the OAuth working group's squatting on this area of > the landscape while failing to address this burning need partially > responsible. The result

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

On 24 Feb 2021, at 11:39, Bron Gondwana wrote: > >> >> […] > > Let's get down to use cases then, rather than talking in abstracts. > > I'm an end user with a copy of {The Bat email client} and I want to connect > it to {Gmail} + {Yahoo} + {My ISP}. It supports {POP3}, a widely popular >

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

On Wed, Feb 24, 2021, at 23:09, Warren Parad wrote: > (I tend to trend lightly in the pronoun area, mostly because I'm shocked that > openid included gender but not pronouns) > > I hadn't heard that to be called the NxM problem, so that definitely cleared > up the potential confusion (at

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

(I tend to trend lightly in the pronoun area, mostly because I'm shocked that openid included gender but not pronouns) I hadn't heard that to be called the NxM problem, so that definitely cleared up the potential confusion (at least for me). I think GNAPs lack of clarity is a non sequitur for

Re: [OAUTH-WG] OAuth Digest, Vol 148, Issue 78

-- > > Message: 2 > Date: Wed, 24 Feb 2021 04:41:40 -0600 > From: Jerry Leyendecker > To: oauth@ietf.org > Subject: [OAUTH-WG] Send me the autherized paperwork > Message-ID: > 64b6sjzoda8kj0tnzkfawb5_jdu5sbhuz...@mail.gmail.com> > Content-Type: text/plain; charset

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

On Wed, Feb 24, 2021, at 22:04, Warren Parad wrote: > I would prefer Bron to answer that question, as they are the one who started > this email thread. You can also use he when talking about me, or she for that matter - I do enough group fitness classes where it's roughly assumed that the

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

I would prefer Bron to answer that question, as they are the one who started this email thread. However let's look at GNAP, I've honestly been struggling to understand at least one fully documented case that GNAP supports. It seems in every document the only thing that is clear is GNAP wants to

[OAUTH-WG] Send me the autherized paperwork

Approved ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

On 2021-02-24, at 11:22, Warren Parad wrote: > > Should we solve the NxM problem, and if so, how do you propose we do that? Let GNAP do that. Grüße, Carsten ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

 Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress . On Wed, Feb 24, 2021 at 10:09 AM Hannes Tschofenig < hannes.tschofe...@arm.com> wrote: > Hi Phil, > > > > I am moving this to the OAuth group to avoid confusing

Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

Should we solve the NxM problem, and if so, how do you propose we do that? Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress . On Wed, Feb 24, 2021 at 8:08 AM Bron Gondwana wrote: > On Wed, Feb 24, 2021, at 17:26,

Re: [OAUTH-WG] Diversity and Inclusiveness in the IETF

Hi Phil, I am moving this to the OAuth group to avoid confusing the IETF list any further. See my feedback below. From: ietf On Behalf Of Phillip Hallam-Baker Sent: Wednesday, February 24, 2021 6:47 AM To: Kathleen Moriarty Cc: i...@ietf.org; oauth@ietf.org Subject: Re: Diversity and