Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

in the spec by the definition of two response_types and flows? On Thu, Mar 15, 2012 at 3:54 PM, Breno de Medeiros br...@google.com wrote: On Thu, Mar 15, 2012 at 15:43, Eran Hammer e...@hueniverse.com wrote: I don't know how to better explain myself. Forget about the text you have issue

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

with precisely this issue) and possibly lead to harmful future interpretation. ** ** EH ** ** *From:* oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On Behalf Of *Nat Sakimura *Sent:* Thursday, March 15, 2012 2:04 AM *To:* Breno de Medeiros; OAuth WG *Subject:* Re: [OAUTH-WG

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

the core confusion here which is what is the right way to handle hybrid clients. The best way to move forward is to take a minute and ask the group to share how they handle such cases or how they think they should be handled. Based on that we can come up with a clear solution. EH From: Breno

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

in the current document. Also, you are ignoring my detailed analysis of the current facts. We have two client types and the issue here is what to do with other, undefined types. EH On 3/15/12 11:54 AM, Breno de Medeiros br...@google.com wrote: My proposal is to remove any reference

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

informative discussion. You can also do other things, like introduce normative language that makes sense. But I have not yet seen proposed language that would be acceptable. EH On 3/15/12 12:30 PM, Breno de Medeiros br...@google.com wrote: I am proposing the entire removal of: A client

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

-Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Marius Scurtescu Sent: Wednesday, March 14, 2012 9:53 AM To: OAuth WG Cc: Breno de Medeiros Subject: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23 Hi, Nat Sakimura started

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

on client type identification. EH -Original Message- From: Mike Jones [mailto:michael.jo...@microsoft.com] Sent: Wednesday, March 14, 2012 11:42 AM To: Eran Hammer; Marius Scurtescu Cc: Breno de Medeiros; OAuth WG Subject: RE: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

Re: [OAUTH-WG] Proposed change to section 8.4. Defining New Authorization Endpoint Response Types

https://www.ietf.org/mailman/listinfo/oauth -- Breno de Medeiros ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth v2-18 comment on state parameter

___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Breno de Medeiros ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] defining new response types

[mailto:oauth-boun...@ietf.org] *On Behalf Of *Breno *Sent:* Wednesday, July 20, 2011 7:52 AM *To:* Paul Tarjan *Cc:* OAuth WG *Subject:* Re: [OAUTH-WG] defining new response types ** ** ** ** Comments inline. ** ** On Tue, Jul 12, 2011 at 8:23 PM, Paul Tarjan p...@fb.com wrote: I

Re: [OAUTH-WG] defining new response types

the hex code for +. Marius ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- --Breno ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] defining new response types

it is a useful *convention*. Do people want to keep it or drop it? EHL -Original Message- From: Breno de Medeiros [mailto:br...@google.com] Sent: Tuesday, July 12, 2011 10:59 AM To: Eran Hammer-Lahav Cc: Marius Scurtescu; OAuth WG Subject: Re: [OAUTH-WG] defining new response types

Re: [OAUTH-WG] defining new response types

. 2. Should the protocol support dynamic composite values with the added complexity (breaking change)? That's my preference. EHL -Original Message- From: Breno de Medeiros [mailto:br...@google.com] Sent: Tuesday, July 12, 2011 11:18 AM To: Eran Hammer-Lahav Cc: Marius Scurtescu

Re: [OAUTH-WG] [apps-discuss] [http-state] HTTP MAC Authentication Scheme

-discuss -- --Breno ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] oauth2 implicit flow user experience

-- Breno de Medeiros ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] oauth2 implicit flow user experience

list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Breno de Medeiros ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] oauth2 implicit flow user experience

On Wed, May 11, 2011 at 3:26 PM, Lodderstedt, Torsten t.lodderst...@telekom.de wrote: Through registration and redirect URI validation. A native app does not have to impersonate, they can just register a user-agent client. Everything boils down to the user trusting the app. As Breno

Re: [OAUTH-WG] Fwd: OAuth Security Consideration Text

On Wed, May 11, 2011 at 7:23 PM, Lodderstedt, Torsten t.lodderst...@telekom.de wrote: Hi Breno, thanks for the feedback. Please find my comments inline. Now higher level comments: On Native Apps protection of refresh token: On section Definitions, there is a sentence

Re: [OAUTH-WG] Freedom of assembly for response_type

On Fri, Feb 18, 2011 at 7:17 AM, Paul Madsen paul.mad...@gmail.com wrote: Breno, why are you using 'cookie' in this context? SAML's 'session management' (I assume you are referring to SLO?) functionality does not rely on browser cookies, but rather on the participants sending

[OAUTH-WG] Freedom of assembly for response_type

of values. -- Breno de Medeiros ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Freedom of assembly for response_type

:* oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On Behalf Of *Breno *Sent:* Thursday, February 17, 2011 10:30 AM *To:* oauth@ietf.org *Subject:* [OAUTH-WG] Freedom of assembly for response_type - Problem 1: Several WG participants are working on deploying a federated signon protocol

Re: [OAUTH-WG] Freedom of assembly for response_type

to extend. That’s like the OAuth 1.0 utterly broken oauth_version parameter and the long confusion it created later on. EHL *From:* Breno [mailto:breno.demedei...@gmail.com] *Sent:* Thursday, February 17, 2011 1:58 PM *To:* Eran Hammer-Lahav *Cc:* oauth@ietf.org *Subject:* Re: [OAUTH

Re: [OAUTH-WG] Freedom of assembly for response_type

or in combination with token, it's returned in the End User Authorization Response, in analogy/in addition to the access_token - If specified in combination with code, it's returned in exchange for the code, in analogy with the access_token EHL *From:* Breno [mailto:breno.demedei

Re: [OAUTH-WG] Freedom of assembly for response_type

. Can you request only a cookie? Or is it always with either a token or code? The idea is that a grant can be exchanged for only a cookie in some cases. EHL *From:* Breno [mailto:breno.demedei...@gmail.com] *Sent:* Thursday, February 17, 2011 4:50 PM *To:* Eran Hammer-Lahav *Cc

Re: [OAUTH-WG] Freedom of assembly for response_type

an explicit exchange from a code-type grant. EHL *From:* Breno [mailto:breno.demedei...@gmail.com] *Sent:* Thursday, February 17, 2011 5:10 PM *To:* Eran Hammer-Lahav *Cc:* oauth@ietf.org *Subject:* Re: [OAUTH-WG] Freedom of assembly for response_type On Thu, Feb 17, 2011 at 4

Re: [OAUTH-WG] [Openid-specs-ab] JSON Token spec work at IIW

Thanks for circulating these. --Breno. On Tue, Nov 9, 2010 at 21:59, Mike Jones michael.jo...@microsoft.com wrote: I’ve now finished my series of posts on the JSON token spec work that occurred at IIW.  For reference, they are:   - JSON Token Spec Results at IIW on Tuesday: http://self

[OAUTH-WG] Request sent to http: instead of https:`

that resources at http/https are usually identical, then http is a non-authorized method to access the resource (403). Thoughts? -- Breno de Medeiros ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Request sent to http: instead of https:`

in the spec? EHL -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Breno Sent: Wednesday, October 13, 2010 11:31 AM To: oauth@ietf.org Subject: [OAUTH-WG] Request sent to http: instead of https:` Suppose server A documents

Re: [OAUTH-WG] Request sent to http: instead of https:`

: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of William Mills Sent: Wednesday, October 13, 2010 5:05 PM To: Breno; Jeff Lindsay Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Request sent to http: instead of https:` This rather implies that we're specifying running a full

Re: [OAUTH-WG] proposal for signatures

that many providers now offer only a single, shared secret is an indication that the key ID is not required. Are you arguing here that the key_id should be an optional field, or that it should not be part of the specification at all? On Jun 25, 2010, at 7:40 AM, Breno wrote: Key ids

Re: [OAUTH-WG] Understanding the reasoning for Base64

(data)) would be acceptable. Thanks, -Naitik ATT1..txt ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Breno de Medeiros ___ OAuth mailing list OAuth@ietf.org

Re: [OAUTH-WG] proposal: multiple access tokens from a single authorization flow

scope. Well, what about just returning a refresh token with the access token when the requested set of scopes for the access token is stricter? Of course, in the user-agent flow there is no refresh token. EHL From: Breno [mailto:breno.demedei...@gmail.com] Sent: Wednesday, June 16, 2010

Re: [OAUTH-WG] A display parameter for user authorization requests

On Wed, Jun 9, 2010 at 12:06, David Recordon record...@gmail.com wrote: First draft of the UX Extension is at http://github.com/daveman692/OAuth-2.0/raw/master/draft-recordon-oauth-v2-ux-00.txt. Eran, I'm more than happy to have you take over as editor. I included Allen and Breno as authors