Yes I think merging the drafts and not reusing PKCE is the correct path. Protection for code in the browser redirect also needs to be added to fully protect the whole flow.
John B. > On Aug 23, 2016, at 4:54 PM, William Denniss <wdenn...@google.com> wrote: > > +1 to adopt. > > I would like us to develop a unified approach and merge the current drafts. > > On Tue, Aug 23, 2016 at 7:58 AM Torsten Lodderstedt <tors...@lodderstedt.net > <mailto:tors...@lodderstedt.net>> wrote: > +1 > > I would also propose to focus use of token binding to detect replay of tokens > (access, refresh, code) > > > Am 22.08.2016 um 23:02 schrieb Brian Campbell: >> I agree with Tony, if I understand what he's saying. >> https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> >> was largely a straw-man to get the conversation started. But after talking >> with people in Berlin, reviewing Dirk's document, and thinking about it some >> more - it's not clear that PKCE is a great fit for token binding the >> authorization code. >> >> Token binding the authorization code is, I think, something we want to >> account for. But using/extending PKCE might not be the way to go about it. >> And whatever approach we land on should probably be just one part of the >> larger document on OAuth 2.0 Token Binding. >> >> On Tue, Aug 16, 2016 at 3:26 PM, Anthony Nadalin <tony...@microsoft.com >> <mailto:tony...@microsoft.com>> wrote: >> I’m OK with the >> https://tools.ietf.org/html/draft-jones-oauth-token-binding-00 >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> >> but not sure that >> https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> >> is a good starting point as we would want a more generic solution for PoP >> tokens in general >> >> >> <> >> From: OAuth [mailto:oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org>] >> On Behalf Of Brian Campbell >> Sent: Tuesday, August 16, 2016 11:45 AM >> To: Hannes Tschofenig < >> <mailto:hannes.tschofe...@gmx.net>hannes.tschofe...@gmx.net >> <mailto:hannes.tschofe...@gmx.net>> >> Cc: oauth@ietf.org <mailto:oauth@ietf.org> >> Subject: Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0 >> >> >> Just a friendly reminder that the 'deadline' for this call for adoption is >> tomorrow. >> >> >> According to the minutes from Berlin >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>, >> 13 people were in favor of adopting OAuth 2.0 Token Binding and 0 were >> against. >> >> >> On Wed, Aug 3, 2016 at 1:45 AM, Hannes Tschofenig < >> <mailto:hannes.tschofe...@gmx.net>hannes.tschofe...@gmx.net >> <mailto:hannes.tschofe...@gmx.net>> wrote: >> >> Hi all, >> >> this is the call for adoption of the 'OAuth 2.0 Token Binding' document >> bundle* following the positive call for adoption at the recent IETF >> meeting in Berlin. >> >> Here are the links to the documents presented at the last IETF meeting: >> https://tools.ietf.org/html/draft-jones-oauth-token-binding-00 >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> >> https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> >> >> Please let us know by August 17th whether you accept / object to the >> adoption of this document as a starting point for work in the OAuth >> working group. >> >> Ciao >> Hannes & Derek >> >> *: We will find out what the best document structure is later, i.e., >> whether the content should be included in one, two or multiple documents. >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d> >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
