Corollary to this, are there thoughts of header protection under this method, and the associated issue of header modification?
— Justin On Apr 8, 2019, at 7:23 PM, Phil Hunt <phil.h...@oracle.com<mailto:phil.h...@oracle.com>> wrote: Question. One of the issues that Justin Richer’s signing draft tried to address was url modification by tls terminators/load balencers/proxies/api gateways etc. How do you see this issue in dpop? Is it a problem? Phil On Apr 3, 2019, at 9:01 AM, George Fletcher <gffletch=40aol....@dmarc.ietf.org<mailto:gffletch=40aol....@dmarc.ietf.org>> wrote: Perfect! Thank you! A couple comments on version 01... POST /token HTTP/1.1 Host: server.example.com<http://server.example.com/> Content-Type: application/x-www-form-urlencoded;charset=UTF-8 DPoP-Binding: eyJhbGciOiJSU0ExXzUi ... grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb (remainder of JWK omitted for brevity) I believe the "(remainder of JWK..." should be moved to the DPoP-Binding header... Also, there is no discussion of the DPoP-Binding header outside of the token request, but I suspect that is the desired way to communicate the DPoP-Proof to the RS. Possibly an example in the session for presenting the token to the RS would help. Thanks, George On 4/3/19 11:39 AM, Daniel Fett wrote: This is fixed in -01: https://tools.ietf.org/html/draft-fett-oauth-dpop-01<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dfett-2Doauth-2Ddpop-2D01&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=eQpusEFY7fROXNfEJmh0QzkejgdgaVnILpbm2q8x9II&s=TEa5Vgb3rAzxbIuavB1lN65fnkTxKoMp7F2rw1AjuEY&e=> -Daniel Am 03.04.19 um 17:28 schrieb George Fletcher: A quick question regarding... o "http_uri": The HTTP URI used for the request, without query and fragment parts (REQUIRED). Is 'without' supposed to be 'with' ? The example shows the http_uri *with* the query parameters :) On 3/28/19 6:17 AM, Daniel Fett wrote: Hi all, I published the first version of the DPoP draft at https://tools.ietf.org/html/draft-fett-oauth-dpop-00<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dfett-2Doauth-2Ddpop-2D00&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=eQpusEFY7fROXNfEJmh0QzkejgdgaVnILpbm2q8x9II&s=eeMGKZq5R86dv0XgrBsIijzuI8OzQqnE-vmUEZ836hY&e=> Abstract This document defines a sender-constraint mechanism for OAuth 2.0 access tokens and refresh tokens utilizing an application-level proof-of-possession mechanism based on public/private key pairs. Thanks for the feedback I received so far from John, Mike, Torsten, and others during today's session or before! If you find any errors I would welcome if you open an issue in the GitHub repository at https://github.com/webhamster/draft-dpop<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_webhamster_draft-2Ddpop&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=eQpusEFY7fROXNfEJmh0QzkejgdgaVnILpbm2q8x9II&s=RR3u82IhN7whr8LgXMWM2fWN7EKH6GO-Bs-HRxEwKHE&e=> - Daniel _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=eQpusEFY7fROXNfEJmh0QzkejgdgaVnILpbm2q8x9II&s=8LDvfTYESi1fDeRK7mQrHFeo9okoJ4NTZU4OHyeRJWk&e=> _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_oauth&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=eQpusEFY7fROXNfEJmh0QzkejgdgaVnILpbm2q8x9II&s=8LDvfTYESi1fDeRK7mQrHFeo9okoJ4NTZU4OHyeRJWk&e= _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
