Re: [OAUTH-WG] Call for Adoption: DPoP

+1 From: OAuth On Behalf Of Mike Jones Sent: Tuesday, March 17, 2020 8:14 AM To: Rifaat Shekh-Yusef ; oauth Subject: [EXTERNAL] Re: [OAUTH-WG] Call for Adoption: DPoP I am for adoption of DPoP. -- Mike From: OAuth

Re: [OAUTH-WG] [EXTERNAL] OAuth 2.1: dropping password grant

I would suggest a SHOULD NOT instead of MUST, there are still sites using this and a grace period should be provided before a MUST is pushed out as there are valid use cases out there still. From: OAuth On Behalf Of Dick Hardt Sent: Tuesday, February 18, 2020 12:37 PM To: oauth@ietf.org

Re: [OAUTH-WG] Location and dates for next OAuth Security Workshop

I know you were too polite ! From: Steinar Noem Sent: Saturday, August 10, 2019 11:04 AM To: Nat Sakimura Cc: Anthony Nadalin ; Mike Jones ; OAuth WG Subject: Re: [OAUTH-WG] Location and dates for next OAuth Security Workshop That is good to hear, Nat. I tried to be as polite as possible

Re: [OAUTH-WG] Location and dates for next OAuth Security Workshop

How about the University in Gjovik ? Get Outlook for Android From: OAuth on behalf of Daniel Fett Sent: Wednesday, August 7, 2019 11:47:51 PM To: Dick Hardt ; dba...@leastprivilege.com Cc: Mike Jones ; OAuth WG Subject: Re:

Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

I support adoption of this draft as a working group document with the following caveats: 1. These are not to be used as ID Tokens/authentication tokens 2. The privacy issues must be addressed 3. Needs to be extensible, much like ID-Token, can't be 100% fixed -Original Message- From:

Re: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection"

I’m concerned over the security implications of a client being able to introspect a token, for bearer tokens this can be very problematic, so unless the issues with possible token theft can be addressed I don’t support this as a WG draft From: OAuth On Behalf Of Rifaat Shekh-Yusef Sent:

Re: [OAUTH-WG] Meeting Invite for the OAuth WG Virtual Office Hours

I was dialed in and no one was there From: OAuth On Behalf Of Hannes Tschofenig Sent: Monday, June 18, 2018 2:06 PM To: Brian Campbell Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Meeting Invite for the OAuth WG Virtual Office Hours Rifaat was on the call for 30mins but nobody joined. I couldn’t

Re: [OAUTH-WG] Token Binding Presentations?

I'm unaware of any support for "OAuth" Token Binding from Microsoft, so I assume you are talking just about Token Binding cookies From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Friday, March 17, 2017 10:43 AM To: Jim Manico Cc: IETF OAUTH

Re: [OAUTH-WG] Updated Shepherd Write-Up for Native Apps document

I'm still getting feedback on the Windows examples that are pointed to by the spec, since it's not a simple case on Windows -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Monday, March 6, 2017 8:00 AM To: oauth@ietf.org Subject:

Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

I would be in favor of this -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, February 1, 2017 11:10 PM To: oauth@ietf.org Subject: [OAUTH-WG] Call for adoption: OAuth Security Topics Hi all, this is the call for adoption of

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)

We have interoped between FIDO authenticators vendors and Windows Hello -Original Message- From: Stephen Farrell [mailto:stephen.farr...@cs.tcd.ie] Sent: Wednesday, February 1, 2017 4:24 PM To: Mike Jones <michael.jo...@microsoft.com>; Anthony Nadalin <tony...@microsoft.c

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)

and thus want tto make sure there is a way to distinguish during the authentication since the iris scan reduces the probability of error -Original Message- From: Stephen Farrell [mailto:stephen.farr...@cs.tcd.ie] Sent: Wednesday, February 1, 2017 4:15 PM To: Anthony Nadalin <t

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)

NIST asked for the addition of IRIS (as they are seeing more use of IRIS over retina due to the accuracy of iris) as they have been doing significant testing on various iris devices and continue to do so, here is a report that NIST released

Re: [OAUTH-WG] Future of PoP Work

I would like to see us proceed with the symmetric PoP work in Oauth WG and stop the HTTP Signing work all together From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Wednesday, October 19, 2016 12:54 PM To: Hannes Tschofenig Cc:

Re: [OAUTH-WG] Authentication Method Reference Values Document: IPR Confirmation

I’m not aware of any IPR From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt (IDM) Sent: Tuesday, September 20, 2016 8:54 PM To: Mike Jones Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Authentication Method Reference Values Document: IPR Confirmation I

Re: [OAUTH-WG] Following up on token exchange use case

Things have gotten so muddled not sure where to begin, the original goal of this draft was to provide the function that we use in daily high volume production of WS-Trust as we transition to Oauth. WS-Trust provided many options, one was ActAs and the other was OnBehalfOf, these were 2

Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0

I’m OK with the

Re: [OAUTH-WG] OAuth Security -- Next Steps

Sounds about right, but I would imagine that the BCP would cover any issue that arises not just mix-up -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Monday, July 25, 2016 3:59 AM To: oauth@ietf.org Subject: [OAUTH-WG] OAuth Security

Re: [OAUTH-WG] RT treatment in Token Exchange

So I think the proposed wording is still too specific and limits the use case , I also don’t understand the usage of “credential” in your description as this does not have to be a credential. So suggest that this be simple and if you want you can explain in the security considerations section

Re: [OAUTH-WG] closing an open issue about supplementary info in the Token Exchange request

Sounds appropriate From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Monday, June 20, 2016 10:16 AM To: oauth Subject: [OAUTH-WG] closing an open issue about supplementary info in the Token Exchange request A good while back in an off list

Re: [OAUTH-WG] Reminder: OAuth Security Workshop

Can I also suggest that a PayPal or Credit Card payment be added as a means as bank transfer for corporate folks is like impossible -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Monday, May 16, 2016 4:25 AM To: Hannes Tschofenig

Re: [OAUTH-WG] Multi-AS State Re-Use

STATE can be anything, it does not have to be a NONCE so changing this would cause issues at this time for existing deployments From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Monday, May 9, 2016 7:34 PM To: Guido Schmitz ; oauth@ietf.org Subject:

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

ors...@lodderstedt.net> Cc: Anthony Nadalin <tony...@microsoft.com>; <oauth@ietf.org> <oauth@ietf.org> Subject: Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0 +1 to Torsten’s point. And a reminder to Tony that call for adoption is the *start* of the document edit

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

So now you are adding more requirements for encryption ? The more this thread goes on shows how unstable and not fully thought out this draft is to go through WG adoption. From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Monday, April 11, 2016 12:30 PM To: Nat

[OAUTH-WG] Token Binding and RFC5705

At the informal Token Binding meeting we had a discussion of Java servers supporting TB, the support would have to come out of JSSE, kere is the analysis on what it would take to change JSSE Implementing 5705 itself, would not take too long and appears to be pretty straightforward. The EKM is

Re: [OAUTH-WG] OAuth 2.1

I don't belive that scopes should be defined more precisely as this opaqueness was a design feature, I'm not seeing the reason why scopes need to be defined, as these are application specific. -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Torsten

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

: Wednesday, April 6, 2016 1:13 PM To: Anthony Nadalin <tony...@microsoft.com> Cc: Phil Hunt (IDM) <phil.h...@oracle.com>; oauth@ietf.org Subject: Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0 Multiple resources are there now. I have no idea what "interaction wi

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

I would like to see the multiple resources servers, interaction with Token Exchange resolved before this is adopted to see if this will actually solve the problems From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Wednesday, April 6, 2016 12:52 PM To: Phil Hunt (IDM)

Re: [OAUTH-WG] Informal Discussion about Discovery Today at 16:20

Wasn't this the task of the design team ? -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, April 6, 2016 10:48 AM To: oauth@ietf.org Subject: [OAUTH-WG] Informal Discussion about Discovery Today at 16:20 Hi all, during the

Re: [OAUTH-WG] [scim] Simple Federation Deployment server to server

6, 2016 5:52 AM To: Anthony Nadalin <tony...@microsoft.com> Cc: Gil Kirkpatrick <gil.kirkpatr...@viewds.com>; Nat Sakimura <n-sakim...@nri.co.jp>; Phil Hunt (IDM) <phil.h...@oracle.com>; s...@ietf.org; oauth@ietf.org Subject: Re: [scim] [OAUTH-WG] Simple Federation

Re: [OAUTH-WG] [scim] Simple Federation Deployment

I would be interested also Sent from my Windows 10 phone From: Gil Kirkpatrick Sent: Wednesday, April 6, 2016 4:16 AM To: 'Nat Sakimura'; 'Hardt, Dick'; 'Phil Hunt (IDM)' Cc:

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-bound-config-00.txt

hy one would use them. On Mon, Mar 14, 2016 at 4:29 PM, Anthony Nadalin <tony...@microsoft.com<mailto:tony...@microsoft.com>> wrote: I would really like to see a comprehensive solution not this piece work, so we know what we are solving and what we are not. -Original Messag

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-bound-config-00.txt

I would really like to see a comprehensive solution not this piece work, so we know what we are solving and what we are not. -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hans Zandbelt Sent: Monday, March 14, 2016 3:26 PM To: Phil Hunt (IDM)

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-bound-config-00.txt

...@ietf.org<mailto:internet-dra...@ietf.org> Subject: New Version Notification for draft-hunt-oauth-bound-config-00.txt Date: March 13, 2016 at 3:53:37 PM PDT To: "Phil Hunt" <phil.h...@yahoo.com<mailto:phil.h...@yahoo.com>>, "Anthony Nadalin" &

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

incomplete There are still documents from Nat, and I believe there will be one from Phil and maybe others. From: Mike Jones Sent: Saturday, March 12, 2016 8:29 AM To: Anthony Nadalin <tony...@microsoft.com>; Brian Campbell <bcampb...@pingidentity.com>; John Bradley <ve7...@ve7jtb.com>

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

From: Mike Jones Sent: Saturday, March 12, 2016 8:06 AM To: Anthony Nadalin <tony...@microsoft.com>; Brian Campbell <bcampb...@pingidentity.com>; John Bradley <ve7...@ve7jtb.com> Cc: oauth <oauth@ietf.org> Subject: RE: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

Sorry but not true, this started out as “discovery” and now it’s not From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Friday, March 11, 2016 3:59 PM To: Anthony Nadalin <tony...@microsoft.com> Cc: John Bradley <ve7...@ve7jtb.com>; oauth <oauth@ietf.org> Subj

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

estly we probably should have separated scope and destination in the first place and returned both dst and scope in the response all along, so this is update that is consistent with the eisting architecture of OAuth 2. Lets keep the two issues separate. John B. On Mar 11, 2016, at 12:07

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

There have been way too many issues, confused conversations and discussions on and off list to have this document move forward, suggest that this be one of the main items on the agenda for when we meet. From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt (IDM) Sent: Thursday,

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

The relationship between AS and RS need to be scoped to “does this RS accept tokens from this AS” as a list is too much information that could be used in the wrong way From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Thursday, March 10, 2016 6:25 PM To: Phil Hunt

Re: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-meta-07.txt

To: Anthony Nadalin <tony...@microsoft.com>; oauth <oauth@ietf.org> Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-meta-07.txt Link relation is not at all XML. It is a step forward to RESTfulness. In the older version of the draft, I was using JSON

Re: [OAUTH-WG] OAuth 2.0 Discovery Location

Sure there is, it is as you have now made it far easier and the security considerations does not even address this From: Mike Jones Sent: Wednesday, February 24, 2016 10:22 AM To: Anthony Nadalin <tony...@microsoft.com> Cc: <oauth@ietf.org> <oauth@ietf.org> Subject: RE: [O

Re: [OAUTH-WG] OAuth 2.0 Discovery Location

> The point of the WGLC is to finish standardizing the core discovery > functionality that’s already widely deployed. That may be widely deployed for OIDC but not widely deployed for OAuth. There are some authentication mechanism discovery for endpoint that really should not be in an OAuth

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

I hear that many folks don't want to add a mandatory crypto operation on the client side :-( -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Tuesday, February 23, 2016 3:17 PM To: Roland Hedberg Cc:

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

I would go with option A, option B introduces concepts/syntax that complicates the current Oauth model -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Friday, February 19, 2016 11:43 AM To: oauth@ietf.org Subject: [OAUTH-WG] Fixing the

Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence

e not been addressed. -Original Message- From: Mike Jones Sent: Thursday, February 18, 2016 10:18 AM To: Anthony Nadalin <tony...@microsoft.com>; Hannes Tschofenig <hannes.tschofe...@gmx.net>; Phil Hunt <phil.h...@oracle.com>; John Bradley <ve7...@ve7jtb.com> Cc: oau

Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence

I also think we are way far from last call (and surprised to see last call issued) on this document as it is still very complex for something that should be very simple -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday,

Re: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-meta-07.txt

I really think that this is a step backwards relative to technology and what the developers would accept. The Link Relations takes us back to the XML days, I thought we have all moved on from that and at least trying to move Oauth to JSON. I think if this were adopted we might be splitting the

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation

+1 From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of William Denniss Sent: Wednesday, January 20, 2016 6:30 PM To: John Bradley ; Phil Hunt (IDM) Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation +1 for

Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps

This work had many issues in the OpenID WG where it failed why should this be a WG item here ? The does meet the requirements for experimental, there is a fine line between informational and experimental, I would be OK with either but prefer experimental, I don’t think that this should become a

Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps

After reading this draft I think that this may be better off as an experimental draft and not a WG draft -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Tuesday, January 19, 2016 3:47 AM To: oauth@ietf.org Subject: [OAUTH-WG] Call for

Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment

I can say on all windows based devices (pc, xbox, phone, etc) with only TPM 1.1 this will be the approach so it will be commonly used -Original Message- From: John Bradley [mailto:ve7...@ve7jtb.com] Sent: Wednesday, November 4, 2015 8:52 PM To: Anthony Nadalin <tony...@microsoft.

Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment

Not sure why you think its weaker as it would be a wrapped key that the hardware produces -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Wednesday, November 4, 2015 8:43 PM To: Justin Richer Cc:

Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment

: Wednesday, November 4, 2015 8:48 PM To: Anthony Nadalin <tony...@microsoft.com> Cc: John Bradley <ve7...@ve7jtb.com>; <oauth@ietf.org> <oauth@ietf.org> Subject: Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment That’s only if yo

Re: [OAUTH-WG] confirmation model in proof-of-possession-02

I would rather just keep the cnf claim rather than flatten the structure since we are already using the cnf in production with the XBOX One. We are also using multiple conformation keys and using the cnf claim makes it easier to have multiple confirmation keys (by just defining a new claim to

Re: [OAUTH-WG] Use of Token Exchange spec for API Federation

So in your scenario where you have client (c), user (u), resource (r) and resource 1(r1) does the flow go like U-C-R-R1 or U-C-R and U-C-R1 ? From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Chuck Mortimore Sent: Wednesday, July 15, 2015 12:47 PM To: OAuth WG oauth@ietf.org; Mike Jones

Re: [OAUTH-WG] Token Chaining Use Case

I’m not sure how Brian’s approach solves the basic generic token exchange use case that we have From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Justin Richer Sent: Tuesday, July 7, 2015 4:47 PM To: Mike Jones michael.jo...@microsoft.com Cc: oauth@ietf.org oauth@ietf.org Subject: Re:

Re: [OAUTH-WG] JWT Token on-behalf of Use case

The WS-Trust “ActAs” mimics the Windows Kerberos Protocol Transition (impersonation) feature as this enables an account to impersonate another account for the purpose of providing access to resources. In a typical scenario, the impersonating account would be a service account assigned to a

Re: [OAUTH-WG] JWT Token on-behalf of Use case

use case then what the feature of https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-01#section-1.3 describes. From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Monday, July 6, 2015 2:33 PM To: Anthony Nadalin tony...@microsoft.com Cc: Mike Jones michael.jo

Re: [OAUTH-WG] JWT Token on-behalf of Use case

Not quite, the actual tokens are still opaque, the requestor is just asking for a token exchange , the requestor can specify the requested token type it's up to the server to determine the actual token it will delever -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On

Re: [OAUTH-WG] JWT Destination Claim

There some folks out there that are using AUD to mean DST. Adding DST is confusing, if you want to use it that's fine but don't see a need to standardize every claim that someone comes up with Sent from my Windows Phone From: Brian

[OAUTH-WG] Token Introspection: Misc Review Comments

Some comments: The endpoint MAY allow other parameters to provide further context to the query. If the endpoint does not understand these the endpoint must ignore. The only MUST in this specification is to return the active Boolean, but this is still underspecified as there is no definition

Re: [OAUTH-WG] draft-ietf-oauth-proof-of-possession-01: Closing Open Issues before the Deadline

tell what cnf really is ? Is this proposal also limited to a single key for both asymmetric and symmetric ? -Original Message- From: Mike Jones Sent: Wednesday, March 4, 2015 3:34 PM To: Anthony Nadalin; Hannes Tschofenig; oauth@ietf.org Subject: RE: [OAUTH-WG] draft-ietf-oauth-proof

Re: [OAUTH-WG] Alignment of JWT Claims and Token Introspection Claims

The definition of “active” is really up to the authorization server, and I’ve yet to hear from an actual implementor who’s confused by this definition. When you’re the one issuing the tokens, you know what an “active” token means to you According to the spec as written the Introspection

Re: [OAUTH-WG] draft-ietf-oauth-proof-of-possession-01: Closing Open Issues before the Deadline

Why does the specification state encrypted to a key known to the recipient using the JWE Compact Serialization is this the only serialization allowed (there is no MUST) ? containing the symmetric key. -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes

Re: [OAUTH-WG] draft-ietf-oauth-introspection

tokens, do you expect the endpoint to ignore this and process the tokens for metadata ? From: Justin Richer [mailto:jric...@mit.edu] Sent: Monday, December 1, 2014 4:42 PM To: Anthony Nadalin Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] draft-ietf-oauth-introspection 1. Is the metadata

Re: [OAUTH-WG] draft-ietf-oauth-introspection

so folks get the same results on different endpoints From: Justin Richer [mailto:jric...@mit.edu] Sent: Sunday, November 30, 2014 6:57 PM To: Anthony Nadalin Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] draft-ietf-oauth-introspection Tony, thanks for the comments. Your timing is great, as I

[OAUTH-WG] draft-ietf-oauth-introspection

Comments Intro about the authentication conext, not sure what this is since there is no authentication context in Oauth Use of Oauth2, mixed with use of Oauth, pick one allows holder of a token to query so anything/anyone that has a token can use this endpoint? Introspection Endpoint Use of

Re: [OAUTH-WG] Notes from 2nd OAuth Authentication Conference Call

Same here -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Thursday, October 16, 2014 10:17 AM To: Hannes Tschofenig; oauth@ietf.org Subject: Re: [OAUTH-WG] Notes from 2nd OAuth Authentication Conference Call For what it's worth, I was on the

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

Is experimental the correct classification? Maybe informational is more appropriate as both of these were discussed. -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, September 10, 2014 4:50 PM To: oauth@ietf.org Subject:

Re: [OAUTH-WG] Dynamic Client Registration Management Protocol: Next Steps?

I don't see it that way as the guidelines not clear and we should revisit this since there was no conclusion in Toronto. -Original Message- From: Richer, Justin P. [mailto:jric...@mitre.org] Sent: Thursday, September 11, 2014 8:01 AM To: Anthony Nadalin Cc: Hannes Tschofenig; oauth

Re: [OAUTH-WG] OAuth Authentication: What can go wrong?

Add me -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Thursday, September 11, 2014 3:30 PM To: oauth@ietf.org Cc: Derek Atkins Subject: [OAUTH-WG] OAuth Authentication: What can go wrong? Hi all, at the last IETF meeting Mike gave a

Re: [OAUTH-WG] Confirmation: Call for Adoption of OAuth 2.0 Token Exchange as an OAuth Working Group Item

I read the draft and just don’t get it, it overloads some of the basic semantics, I’m not quite sure you get the concept of token exchange, has what you described been deployed ? or even built ? From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Monday, August 11,

Re: [OAUTH-WG] Confirmation: Call for Adoption of OAuth Token Introspection as an OAuth Working Group Item

John this is for the people that did not hum at the face to face and not just for the people not at the face to face. Sent from my Windows Phone From: John Bradleymailto:ve7...@ve7jtb.com Sent: ‎7/‎30/‎2014 7:20 AM To: Sergey

Re: [OAUTH-WG] Confirmation: Call for Adoption of OAuth Token Introspection as an OAuth Working Group Item

I think we need management APIs now to manage the new endpoint, but seriously this introspection proposal has privacy issues, to avoid these I would encrypt the tokens and then this would be a useless endpoint, also this has issues with symmetric POP tokens, but maybe this was only designed to

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

OMG, how can you say that when the Dynamkc Reg does the same thing (duplicates) but that is OK to do From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Thursday, July 24, 2014 10:22 AM To: John Bradley Cc: oauth@ietf.org list Subject: Re: [OAUTH-WG] New Version

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

Oh yea, real different, give me a freaking break From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Thursday, July 24, 2014 6:31 PM To: Anthony Nadalin Cc: John Bradley; oauth@ietf.org list Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00

The explanation of on-behalf-Of and ActAs are correct in the document as defined by WS-Trust, this may not be your desire or understanding but that is how WS-Trust implementations should work From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Thursday, July 3, 2014

Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00

I’m lost, the terms defined in the oauth token-exchange draft are the same terms defined in ws-trust and have the same definitions From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Thursday, July 3, 2014 12:02 PM To: Anthony Nadalin Cc: Vladimir Dzhuvinov; oauth@ietf.org Subject: Re

Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00

. -- Mike From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Anthony Nadalin Sent: Thursday, July 03, 2014 12:04 PM To: Brian Campbell Cc: oauth@ietf.orgmailto:oauth@ietf.org Subject: Re: [OAUTH-WG] draft-jones-oauth-token-exchange-00 I'm lost, the terms defined

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

It’s great but some ways but also very limiting if you are counting on certain requirements to be represented in the access token From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Torsten Lodderstedt Sent: Thursday, June 5, 2014 12:40 PM To: Bill Mills Cc: Phil Hunt; oauth@ietf.org

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

Delegation From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] Sent: Thursday, June 5, 2014 12:45 PM To: Anthony Nadalin Cc: Bill Mills; Phil Hunt; oauth@ietf.org Subject: Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c Examples? Am 05.06.2014 um 21:42 schrieb Anthony

Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

Where is the confusion ? From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Wednesday, May 14, 2014 10:59 AM To: Brian Campbell Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering I know a number of people implementing

Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

I agree with Phil on this one, there are implementations of this already and much interest From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt Sent: Wednesday, May 14, 2014 8:32 AM To: Brian Campbell Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth Milestone Update and

Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

Please list the implementstions From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Wednesday, May 14, 2014 10:59 AM To: Brian Campbell Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering I know a number of people implementing

Re: [OAUTH-WG] OAuth Milestone Update and Rechartering

of a4c. From: Chuck Mortimore [mailto:cmortim...@salesforce.com] Sent: Wednesday, May 14, 2014 9:39 AM To: Anthony Nadalin Cc: Phil Hunt; Brian Campbell; oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth Milestone Update and Rechartering Can you point to one publicly available or publicly documented

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt

I have to agree with Phil on this as there are already spec out there that use HoK and PoP , either of these work but prefer HoK as folks get confused with PoP as we have seen this within our company already From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Mike Jones Sent: Thursday,

Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes

I'm not convinced that scope should be in core -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of tors...@lodderstedt.net Sent: Thursday, March 6, 2014 12:38 AM To: oauth@ietf.org Subject: Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes Hi, regarding dynamic client

Re: [OAUTH-WG] IETF #89 OAuth Meeting Notes

+1 should not be merged -Original Message- From: Mike Jones Sent: Thursday, March 6, 2014 5:19 AM To: Anthony Nadalin; tors...@lodderstedt.net; oauth@ietf.org Subject: RE: [OAUTH-WG] IETF #89 OAuth Meeting Notes I also disagree with moving scope into the core registration spec

Re: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic Client Registration Specs

So the current core makes the registration_access_token required and there are open registration endpoints, so this should be optional, there are also cases where the client_id is signed and that becomes the right to the registration endpoint From: OAuth [mailto:oauth-boun...@ietf.org] On

Re: [OAUTH-WG] Working Group Versions of Refactored OAuth Dynamic Client Registration Specs

Same is true for the registration_client_uri as I may not need/want this, should be optional From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Anthony Nadalin Sent: Thursday, March 6, 2014 7:02 AM To: Mike Jones; oauth@ietf.org list Subject: Re: [OAUTH-WG] Working Group Versions

Re: [OAUTH-WG] OAuth + Open ID Connect Meeting: Sunday, March 2

, Anthony Nadalin tony...@microsoft.com wrote: Agree, the OAUTH meeting should change to afternoon -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Tuesday, February 25, 2014 2:56 PM To: John Bradley Cc: oauth Subject: Re: [OAUTH-WG] OAuth

Re: [OAUTH-WG] OAuth + Open ID Connect Meeting: Sunday, March 2

Agree, the OAUTH meeting should change to afternoon -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Tuesday, February 25, 2014 2:56 PM To: John Bradley Cc: oauth Subject: Re: [OAUTH-WG] OAuth + Open ID Connect Meeting: Sunday, March 2 Yes,

Re: [OAUTH-WG] Draft Agenda

Could either Mike or I get 5 min for ActAS/OnBehalf of update? From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Monday, February 24, 2014 10:47 AM To: oauth@ietf.org Subject: [OAUTH-WG] Draft Agenda Hi all, we put a draft agenda online:

Re: [OAUTH-WG] Dynamic Registration Plan: Your Feedback Needed!

So it's a tiny bit better but not sure it has captured all of what was being proposed to fix the original, still not there. 1. The signature on the software statement should be optional 2. The software statement should be an assertion, the assertion can be whatever profiles exist, I understand

Re: [OAUTH-WG] draft-bradley-stateless-oauth-client-00

We need to avoid encoding secrets and authentication with client_id as authentication is not part of our mission From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Monday, November 4, 2013 1:38 PM To: Hannes Tschofenig Cc: oauth@ietf.org WG Subject: Re:

Re: [OAUTH-WG] draft-bradley-stateless-oauth-client-00

We have mechanisms to do this it's not in our scope to start to encode the client_id with authentication information From: Nat Sakimura [mailto:sakim...@gmail.com] Sent: Monday, November 4, 2013 1:57 PM To: Anthony Nadalin Cc: Hannes Tschofenig; oauth@ietf.org WG Subject: Re: [OAUTH-WG] draft

Re: [OAUTH-WG] draft-bradley-stateless-oauth-client-00

Identification is fine as long as it remains opaque and not specific to any format. Authentication remains out of scope From: John Bradley [mailto:ve7...@ve7jtb.com] Sent: Monday, November 4, 2013 2:05 PM To: Anthony Nadalin Cc: Nat Sakimura; Hannes Tschofenig; oauth@ietf.org WG Subject: Re

Re: [OAUTH-WG] OAuth Agenda for IETF-88

The client registration is still open, so we need to continue our discussion that was started with the interim call -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Derek Atkins Sent: Thursday, October 31, 2013 1:07 PM To: oauth@ietf.org

Re: [OAUTH-WG] OAuth Agenda for IETF-88

Would like 10 min to discuss ActAs draft -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Derek Atkins Sent: Thursday, October 31, 2013 1:07 PM To: oauth@ietf.org Subject: [OAUTH-WG] OAuth Agenda for IETF-88 The IETF is next week, and OAuth

  1   2   3   >