Hi Karsten, The specification mentions JARM. Does this specification require the iss response parameter even when JARM is used? That is, should an authorization response look like below?
HTTP/1.1 302 Found Location: https://client.example.com/cb?response={JWT}&iss={ISSUER} Or, can the iss response parameter be omitted when JARM is used? A small feedback for the 3rd paragraph in Section 4: s/identifes/identifies/ Best Regards, Taka On Tue, Nov 3, 2020 at 3:13 AM Vladimir Dzhuvinov <vladi...@connect2id.com> wrote: > Thanks Karsten, looks good to me now, no further comments. > > Vladimir > On 02/11/2020 09:54, Karsten Meyer zu Selhausen wrote: > > Hi all, > > Daniel and I published a new version of the "iss" response parameter draft > to address the feedback from the WG. > > Changes in -01: > > - Incorporated first WG feedback > - Clarifications for use with OIDC > - Added note that clients supporting just one AS are not vulnerable > - Renamed metadata parameter > - Various editorial changes > > > We would like to ask you for further feedback and comments on the new > draft version. > > Best regards, > Karsten > > -------- Forwarded Message -------- > Subject: New Version Notification for > draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt > Date: Sun, 01 Nov 2020 23:31:42 -0800 > From: internet-dra...@ietf.org > To: Karsten Meyer zu Selhausen <karsten.meyerzuselhau...@hackmanit.de> > <karsten.meyerzuselhau...@hackmanit.de>, Karsten zu Selhausen > <karsten.meyerzuselhau...@hackmanit.de> > <karsten.meyerzuselhau...@hackmanit.de>, Daniel Fett <m...@danielfett.de> > <m...@danielfett.de> > > > A new version of I-D, draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt > has been successfully submitted by Karsten Meyer zu Selhausen and posted > to the > IETF repository. > > Name: draft-meyerzuselhausen-oauth-iss-auth-resp > Revision: 01 > Title: OAuth 2.0 Authorization Server Issuer Identifier in Authorization > Response > Document date: 2020-11-01 > Group: Individual Submission > Pages: 10 > URL: > https://www.ietf.org/archive/id/draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt > Status: > https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/ > Html: > https://www.ietf.org/archive/id/draft-meyerzuselhausen-oauth-iss-auth-resp-01.html > Htmlized: > https://tools.ietf.org/html/draft-meyerzuselhausen-oauth-iss-auth-resp-01 > Diff: > https://www.ietf.org/rfcdiff?url2=draft-meyerzuselhausen-oauth-iss-auth-resp-01 > > Abstract: > This document specifies a new parameter "iss" that is used to > explicitly include the issuer identifier of the authorization server > in the authorization response of an OAuth authorization flow. If > implemented correctly, the "iss" parameter serves as an effective > countermeasure to "mix-up attacks". > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > -- > Karsten Meyer zu Selhausen > IT Security Consultant > Phone: +49 (0)234 / 54456499 > Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, > Security Training > > Does your OAuth or OpenID Connect implementation use PKCE to strengthen the > security? Learn more about the procetion PKCE provides and its limitations in > our new blog > post:https://www.hackmanit.de/en/blog-en/123-when-pkce-cannot-protect-your-confidential-oauth-client > > Hackmanit GmbH > Universitätsstraße 60 (Exzenterhaus) > 44789 Bochum > > Registergericht: Amtsgericht Bochum, HRB 14896 > Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. > Christian Mainka, Dr. Marcus Niemietz > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
