Re: [OAUTH-WG] Security of OAuth on Andriod [Was: Re: Token Mediating and session Information Backend For Frontend (TMI BFF)]

If I read this correctly, https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-10 the 2.1 draft already addresses this under best practices. On Mon, Mar 15, 2021 at 3:31 PM Neil Madden wrote: > I want to come back to this topic as a new thread. > > As I understand things, the difference

Re: [OAUTH-WG] Nonce-based Replay Protection for DPoP

On Tue, Mar 16, 2021 at 05:45:46PM -0400, Rifaat Shekh-Yusef wrote: > Brian, > > For a nonce-based replay protection you. might want to look at the ACME > protocol here: > https://tools.ietf.org/html/rfc8555#section-6.5 Yes, that one is really solid for the sort of thing it does, and I find mysel

[OAUTH-WG] Nonce-based Replay Protection for DPoP

Brian, For a nonce-based replay protection you. might want to look at the ACME protocol here: https://tools.ietf.org/html/rfc8555#section-6.5 Regards, Rifaat ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Access Token Hash for DPoP

As discussed on the call yesterday, I have put together a modest proposal for adding access token hash to the DPoP draft. https://github.com/danielfett/draft-dpop/pull/62 Instead of using the existing OpenID Connect “at_hash” claim and definiti