-WG] Draft Proposal for a Cross Device Flow Security BCP
Hi Pieter / Daniel / Filip
It's great to see this document moving forward.
I may have missed it, but it may be worth being move explicit that one solution
is to avoid using cross-device flows for same-device scenarios? It's sort of
obvious
Hi Pieter / Daniel / Filip
It’s great to see this document moving forward.
I may have missed it, but it may be worth being move explicit that one solution
is to avoid using cross-device flows for same-device scenarios? It’s sort of
obvious, but questions like “well CIBA works for both
Thanks Brian, I will add clarification on CIBA and fix those transposition
errors. Much appreciated!
From: Brian Campbell
Sent: Friday, October 21, 2022 11:10 PM
To: Pieter Kasselman
Cc: oauth@ietf.org; Daniel Fett ; Filip Skokan
Subject: Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow
And I just happened to notice there are a few mentions of RFC8682 (TinyMT32
Pseudorandom Number Generator) which should probably be RFC8628 (OAuth 2.0
Device Authorization Grant).
On Fri, Oct 21, 2022 at 4:06 PM Brian Campbell
wrote:
> Just want to try and clarify some things about the status
Just want to try and clarify some things about the status of CIBA, which is
described somewhat erroneously as a "standard under development." There is
a FAPI profile of CIBA that is still under development but core CIBA
Hi All
Following on from the discussions at IETF 113, the OAuth Security Workshop,
Identiverse and IETF 114, Daniel, Filip and I created a draft document
capturing some of the attacks that we are seeing on cross device flows,
including Device Authorization Grant (aka Device Code Flow).
These