Hi Denis,
If I understand your arguments correctly, you'd like a way to ask the AS
to add an RS supplied nonce to the access_token. This is done in OpenID
Connect with the id_token but nothing like this exists within OAuth2.
Largely because the entity asking for the token (client) is
Hi John,
The privacy problem is a touch hypothetical the way that OAuth
currently works. There is not standard access token, a AS producing
access tokens that could be used across a number of RS in different
security domains would be a security disaster, unless they are proof
of possession
rom: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Steinegger, Roland
Heinz (TM)
Sent: Friday, November 18, 2016 12:49 AM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] About Big Brother and
draft-campbell-oauth-resource-indicators-00
On the new parameter.
I agree. The description of a "Collision
The privacy problem is a touch hypothetical the way that OAuth currently works.
There is not standard access token, a AS producing access tokens that could be
used across a number of RS in different security domains would be a security
disaster, unless they are proof of possession tokens.
If
Hi Hannes,
I do not deny the fact that it is necessary to provide some information
to the authorization server
to indicate the resource server where the access token shall only be used.
Let us illustrate the concept with a simple scenario.
A user first connects to a resource server and
Hi Denis
draft-campbell-oauth-resource-indicators gives the authorization server
information about the resource server the access token will be used with.
Without this information there is the risk that the access token is
replayed at other resource servers and with the proof-of-possession /
otect.
Hence, a logical name can be an absolute URI or a String as well.
Regards
Vivek Biswas, CISSP
Consulting Member, Security
Oracle Corporation.
*From:* Denis [mailto:denis.i...@free.fr]
*Sent:* Tuesday, November 15, 2016 3:50 AM
*To:* oauth@ietf.org
*Subject:* [OAUTH-WG] About Big Brother and
y not be a
problem from my point of view.
> Date: Thu, 17 Nov 2016 11:25:15 -0800
> From: Jim Willeke <j...@willeke.com>
> To: oauth@ietf.org
> Subject: Re: [OAUTH-WG] About Big Brother and
> draft-campbell-oauth-resource-indicators-00
>
> I liked the usage in h
a String as well.
>
> Regards
> Vivek Biswas, CISSP
> Consulting Member, Security
> Oracle Corporation.
>
>
>
> *From:* Denis [mailto:denis.i...@free.fr]
> *Sent:* Tuesday, November 15, 2016 3:50 AM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] About Big Brother
e can be an absolute URI or a String as well.
Regards
Vivek Biswas, CISSP
Consulting Member, Security
Oracle Corporation.
From: Denis [mailto:denis.i...@free.fr]
Sent: Tuesday, November 15, 2016 3:50 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] About Big Brother and
draft-campbell-oauth-res
In this document the information is very much intended for the
authorization server so that it can make appropriate policy choices about
the token to be issued.
On Tue, Nov 15, 2016 at 4:50 AM, Denis wrote:
> Hello everybody,
>
> Since I am not present at the meeting, I read
Hello everybody,
Since I am not present at the meeting, I read the minutes from the first
session, in particular:
Brian Campbell and John did a draft allowing the client to tell the
AS where it plans to use the token
draft-campbell-oauth-resource-indicators
This
12 matches
Mail list logo