:43 PM
> To: OAuth WG
> Subject: Re: [OAUTH-WG] Issue: 'username' parameter proposal
>
> Tacking this response to the end of the thread for lack of a better place to
> do it: The name "username" seems not quite apt in the case of an autonomous
> client that i
This is part of the delegation flows so username should be just fine...
EHL
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eve
Maler
Sent: Wednesday, April 21, 2010 4:43 PM
To: OAuth WG
Subject: Re: [OAUTH-WG] Issue: 'username' parameter proposal
Ta
like it either. But sometimes it is more efficient to make progress
> and discuss such aspects in-depth when reaching milestones.
>
> regards,
> Torsten.
>
>>
>> EHL
>>
>> From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
>> Sent: T
m...@stanfordalumni.org; OAuth WG
*Subject:* Re: [OAUTH-WG] Issue: 'username' parameter proposal
In my experiences, such a review takes much longer than a few minutes.
I think the whole specification should be subject to a comprehensive
and in-depth security analysis (threat modeling,
Lahav
Cc: jsm...@stanfordalumni.org; OAuth WG
Subject: Re: [OAUTH-WG] Issue: 'username' parameter proposal
In my experiences, such a review takes much longer than a few minutes.
I think the whole specification should be subject to a comprehensive and
in-depth security analysis (threat mo
rward and add it to the draft.
EHL
*From:* Joseph Smarr [mailto:jsm...@gmail.com]
*Sent:* Tuesday, April 20, 2010 9:36 AM
*To:* Eran Hammer-Lahav
*Cc:* Evan Gilbert; OAuth WG
*Subject:* Re: [OAUTH-WG] Issue: 'username' parameter proposal
Just to add some more context from experience,
On Tue, Apr 20, 2010 at 11:16 AM, Eran Hammer-Lahav wrote:
> Is that an objection to including a username parameter in the spec?
Damn skippy.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
Is that an objection to including a username parameter in the spec?
EHL
> -Original Message-
> From: Brian Eaton [mailto:bea...@google.com]
> Sent: Tuesday, April 20, 2010 11:04 AM
> To: Eran Hammer-Lahav
> Cc: jsm...@stanfordalumni.org; OAuth WG
> Subject: Re
On Tue, Apr 20, 2010 at 10:23 AM, Eran Hammer-Lahav wrote:
> I’m not aware of anyone arguing against this feature. The only issue is a
> full security review before we add it to the spec. If one of the security
> experts here can spend a few minutes to review this, we can move forward and
> add it
l.com]
Sent: Tuesday, April 20, 2010 9:36 AM
To: Eran Hammer-Lahav
Cc: Evan Gilbert; OAuth WG
Subject: Re: [OAUTH-WG] Issue: 'username' parameter proposal
Just to add some more context from experience, this "two users getting mixed
together" problem happens a lot in practice,
t:* Monday, April 19, 2010 5:17 PM
>
> *To:* Eran Hammer-Lahav
> *Cc:* OAuth WG
> *Subject:* Re: [OAUTH-WG] Issue: 'username' parameter proposal
>
>
>
>
>
> On Mon, Apr 19, 2010 at 10:58 AM, Eran Hammer-Lahav
> wrote:
>
> Thanks. That makes sense.
>
>
&
This attack is why the flow requires the client to present the callback it used
again when getting the token.
EHL
From: Evan Gilbert [mailto:uid...@google.com]
Sent: Monday, April 19, 2010 5:17 PM
To: Eran Hammer-Lahav
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Issue: 'username' paramete
Am 19.04.2010 22:37, schrieb Brian Eaton:
On Mon, Apr 19, 2010 at 1:34 PM, Torsten Lodderstedt
wrote:
Do you mean the thread "Signatures, Why?"
(http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy)?
I cannot remember that there was a consensus not to use signatures on
requests to
herwise
>
>
> I have no objections to this proposal but wanted to see some discussion and
> support from others before adding it to the spec.
>
>
>
> EHL
>
>
>
> *From:* Evan Gilbert [mailto:uid...@google.com]
> *Sent:* Monday, April 19, 2010 10:06 AM
> *T
On Mon, Apr 19, 2010 at 1:34 PM, Torsten Lodderstedt
wrote:
> Do you mean the thread "Signatures, Why?"
> (http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy)?
>
> I cannot remember that there was a consensus not to use signatures on
> requests to the authorization server.
I can. =)
Which is something we decided not to do when we discussed the use of
signatures.
EHL
*From:* Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
*Sent:* Monday, April 19, 2010 12:19 PM
*To:* Eran Hammer-Lahav
*Cc:* Evan Gilbert; OAuth WG
*Subject:* Re: [OAUTH-WG] Issue: 'username' pa
Which is something we decided not to do when we discussed the use of signatures.
EHL
From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
Sent: Monday, April 19, 2010 12:19 PM
To: Eran Hammer-Lahav
Cc: Evan Gilbert; OAuth WG
Subject: Re: [OAUTH-WG] Issue: 'username' parameter pr
wanted to see some
discussion and support from others before adding it to the spec.
EHL
*From:* Evan Gilbert [mailto:uid...@google.com]
*Sent:* Monday, April 19, 2010 10:06 AM
*To:* Eran Hammer-Lahav
*Cc:* OAuth WG
*Subject:* Re: [OAUTH-WG] Issue: 'username' parameter proposal
User 1
]
Sent: Monday, April 19, 2010 10:06 AM
To: Eran Hammer-Lahav
Cc: OAuth WG
Subject: Re: [OAUTH-WG] Issue: 'username' parameter proposal
User 1 is logged into Client site
User 2 is logged into IDP site
This can happen quite frequently, as client sites often have long-lived cookies
and m
The scenario described by Evan is showing a real issue and the
username parameter is solving it. Not sure if there are other
implications, but definitely worth discussing.
Marius
On Mon, Apr 19, 2010 at 10:06 AM, Evan Gilbert wrote:
> User 1 is logged into Client site
> User 2 is logged into I
User 1 is logged into Client site
User 2 is logged into IDP site
This can happen quite frequently, as client sites often have long-lived
cookies and may only be visited by one user on a shared computer.
Right now client site has no way to ask for a token for User 1, and end
result will be that Us
How can they both be logged in? I have never seen a case where two users can be
both logged into to the same service at the same time...
EHL
On 4/19/10 8:33 AM, "Evan Gilbert" wrote:
More details on this enhancement.
Goal: Make sure you get an access token for the right user in immediate mod
More details on this enhancement.
Goal: Make sure you get an access token for the right user in immediate
mode.
Use case where we have problems if we don't have username parameter:
1. Bob is logged into a web site as b...@idp.com.
2. Mary (his wife) is logged into IDP on the same computer
Evan Gilbert proposed a 'username' request parameter to allow the client to
limit the end user to authenticate using the provided authorization server
identifier. The proposal has not been discussed or supported by others, and
has not received a security review.
Proposal: Obtain further discussion
24 matches
Mail list logo
