[OAUTH-WG] Weekly github digest (OAuth Activity Summary)

Repository Activity Summary Bot Sun, 02 Mar 2025 00:03:10 -0800



Events without label "editorial"

Issues
------
* oauth-wg/oauth-browser-based-apps (+9/-14/💬13)
 9 issues created:
 - Permanent anchor requests (by aaronpk)

https://github.com/oauth-wg/oauth-browser-based-apps/issues/85- describe relationship to session fixation attacks (by aaronpk)https://github.com/oauth-wg/oauth-browser-based-apps/issues/82- describe the confusion risk of adding the relaying server (section 6.1.3) (by aaronpk)https://github.com/oauth-wg/oauth-browser-based-apps/issues/81- justify why the 5 specific attacks are the right ones as opposed to other things that might be possible with javascript injection (by aaronpk)https://github.com/oauth-wg/oauth-browser-based-apps/issues/80- PKCE not defined when first introduced (by aaronpk)https://github.com/oauth-wg/oauth-browser-based-apps/issues/79- clarify that the resource server, application, and oauth server may be in separate domains (by aaronpk)https://github.com/oauth-wg/oauth-browser-based-apps/issues/78- mention malicious javascript as the foundation of the threat analysis early in the document (by aaronpk)https://github.com/oauth-wg/oauth-browser-based-apps/issues/77- scope section 8 to OAuth tokens, mention that these recommendations are specific to OAuth but may overlap with general browser security recommendations (by aaronpk)https://github.com/oauth-wg/oauth-browser-based-apps/issues/76- mention malicious javascript as the foundation of the threat analysis early in the document (by aaronpk)https://github.com/oauth-wg/oauth-browser-based-apps/issues/75

 10 issues received 13 new comments:
 - #81 describe the confusion risk of adding the relaying server (section 
6.1.3) (1 by philippederyck)

https://github.com/oauth-wg/oauth-browser-based-apps/issues/81- #80 justify why the 5 specific attacks are the right ones as opposed to other things that might be possible with javascript injection (1 by philippederyck)https://github.com/oauth-wg/oauth-browser-based-apps/issues/80- #79 PKCE not defined when first introduced (1 by aaronpk)https://github.com/oauth-wg/oauth-browser-based-apps/issues/79- #77 mention malicious javascript as the foundation of the threat analysis early in the document (1 by philippederyck)https://github.com/oauth-wg/oauth-browser-based-apps/issues/77- #75 mention malicious javascript as the foundation of the threat analysis early in the document (1 by aaronpk)https://github.com/oauth-wg/oauth-browser-based-apps/issues/75- #73 httpdir review notes (4 by aaronpk, philippederyck, yhastik691)https://github.com/oauth-wg/oauth-browser-based-apps/issues/73- #72 artart review notes (1 by aaronpk)https://github.com/oauth-wg/oauth-browser-based-apps/issues/72- #70 secdir review notes (1 by aaronpk)https://github.com/oauth-wg/oauth-browser-based-apps/issues/70- #69 Process last call reviews (1 by aaronpk)https://github.com/oauth-wg/oauth-browser-based-apps/issues/69- #68 Consider alternative phrasing for "scenarios" (1 by aaronpk)https://github.com/oauth-wg/oauth-browser-based-apps/issues/68

 14 issues closed:

- Process last call reviews https://github.com/oauth-wg/oauth-browser-based-apps/issues/69- artart review notes https://github.com/oauth-wg/oauth-browser-based-apps/issues/72- secdir review notes https://github.com/oauth-wg/oauth-browser-based-apps/issues/70- httpdir review notes https://github.com/oauth-wg/oauth-browser-based-apps/issues/73- Consider alternative phrasing for "scenarios" https://github.com/oauth-wg/oauth-browser-based-apps/issues/68- opsdir review notes https://github.com/oauth-wg/oauth-browser-based-apps/issues/71- scope section 8 to OAuth tokens, mention that these recommendations are specific to OAuth but may overlap with general browser security recommendations https://github.com/oauth-wg/oauth-browser-based-apps/issues/76- justify why the 5 specific attacks are the right ones as opposed to other things that might be possible with javascript injection https://github.com/oauth-wg/oauth-browser-based-apps/issues/80- describe the confusion risk of adding the relaying server (section 6.1.3) https://github.com/oauth-wg/oauth-browser-based-apps/issues/81- clarify that the resource server, application, and oauth server may be in separate domains https://github.com/oauth-wg/oauth-browser-based-apps/issues/78- describe relationship to session fixation attacks https://github.com/oauth-wg/oauth-browser-based-apps/issues/82- mention malicious javascript as the foundation of the threat analysis early in the document https://github.com/oauth-wg/oauth-browser-based-apps/issues/77- PKCE not defined when first introduced https://github.com/oauth-wg/oauth-browser-based-apps/issues/79- mention malicious javascript as the foundation of the threat analysis early in the document https://github.com/oauth-wg/oauth-browser-based-apps/issues/75

* oauth-wg/oauth-identity-chaining (+0/-2/💬4)
 2 issues received 4 new comments:
 - #122 Review usage of "one domain" and "another domain" (1 by PieterKas)

https://github.com/oauth-wg/oauth-identity-chaining/issues/122- #79 Should we allow identity chaining with DPoP tokens? (3 by arndt-s, kburgin3, martin-lindstrom)https://github.com/oauth-wg/oauth-identity-chaining/issues/79

 2 issues closed:

- Recommended media type for JWT Authorization Grant https://github.com/oauth-wg/oauth-identity-chaining/issues/85- Clarify client terminology https://github.com/oauth-wg/oauth-identity-chaining/issues/100

* oauth-wg/oauth-transaction-tokens (+1/-2/💬1)
 1 issues created:
 - Transaction Token Lifetime (by PieterKas)

https://github.com/oauth-wg/oauth-transaction-tokens/issues/155

 1 issues received 1 new comments:
 - #109 Key rotation guidance (1 by PieterKas)

https://github.com/oauth-wg/oauth-transaction-tokens/issues/109 [pre-last-call]

 2 issues closed:

- Key rotation guidance https://github.com/oauth-wg/oauth-transaction-tokens/issues/109 [pre-last-call]- Define discovery metadata for support of the Transaction Token functionality https://github.com/oauth-wg/oauth-transaction-tokens/issues/95 [IETF120-discuss] [pre-last-call]

* oauth-wg/oauth-sd-jwt-vc (+0/-0/💬1)
 1 issues received 1 new comments:
 - #250 Drop all references to DIDs and DID resolution (1 by za8457)

https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/250 [discuss]

* oauth-wg/oauth-selective-disclosure-jwt (+6/-0/💬0)
 6 issues created:
 - Add the wording "one-time use digital credentials" in the context of "batches of 
credentials". (by Denisthemalice)

https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/562- Proposed rewording in Section 1.1 about SD-JWT+KB (by Denisthemalice)https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/561- The definition of an Issuer would need to be polished (by Denisthemalice)https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/560- Figure 1 should illustrate the involvement of an End-User and be closer to the data structures that are exchanged (by Denisthemalice)https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/559- Proposed rewording in Section 1.2 for the term Holder (by Denisthemalice)https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/558- In Section 1.2, the term End-User should be defined as it is a fundamental entity in ISO 29100 (by Denisthemalice)https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/557

* oauth-wg/draft-ietf-oauth-status-list (+1/-0/💬6)
 1 issues created:
 - Update Acknowledgments (by c2bo)

https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/271

 1 issues received 6 new comments:
 - #255 About claim "aggregation_uri" (6 by Denisthemalice, paulbastian)

https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/255 [pending-close]

* oauth-wg/draft-ietf-oauth-attestation-based-client-auth (+0/-2/💬0)
 2 issues closed:

- Remove backslash for line wrapping from examples https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/89 [discuss]- JWT examples are missing the `typ` header parameter https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/issues/94 [bug] [ready-for-pr]



Pull requests
-------------
* oauth-wg/oauth-browser-based-apps (+2/-3/💬1)
 2 pull requests submitted:
 - changes for httpdir review (by aaronpk)

https://github.com/oauth-wg/oauth-browser-based-apps/pull/84- Pdr/addressing review comments (by philippederyck)https://github.com/oauth-wg/oauth-browser-based-apps/pull/83

 1 pull requests received 1 new comments:
 - #65 Gen-ART review: simple editorial fixes and suggestion (1 by aaronpk)

https://github.com/oauth-wg/oauth-browser-based-apps/pull/65

 3 pull requests merged:
 - changes for httpdir review

https://github.com/oauth-wg/oauth-browser-based-apps/pull/84- Changes to address opsdir review feedbackhttps://github.com/oauth-wg/oauth-browser-based-apps/pull/74- Pdr/addressing review commentshttps://github.com/oauth-wg/oauth-browser-based-apps/pull/83

* oauth-wg/oauth-identity-chaining (+1/-4/💬0)
 1 pull requests submitted:
 - Prepare changelog for -04 release (by arndt-s)

https://github.com/oauth-wg/oauth-identity-chaining/pull/142

 4 pull requests merged:
 - Prepare changelog for -04 release

https://github.com/oauth-wg/oauth-identity-chaining/pull/142- Recommendation on media typeshttps://github.com/oauth-wg/oauth-identity-chaining/pull/141- Security Considerations: subject tokenhttps://github.com/oauth-wg/oauth-identity-chaining/pull/140- Consistent use of "trust domain" - Main text onlyhttps://github.com/oauth-wg/oauth-identity-chaining/pull/138

* oauth-wg/oauth-transaction-tokens (+1/-1/💬0)
 1 pull requests submitted:
 - Security Considerations: Key Rotation (by PieterKas)

https://github.com/oauth-wg/oauth-transaction-tokens/pull/156

 1 pull requests merged:
 - Security Considerations: Key Rotation

https://github.com/oauth-wg/oauth-transaction-tokens/pull/156

* oauth-wg/oauth-selective-disclosure-jwt (+2/-5/💬1)
 2 pull requests submitted:
 - MT in regular acks (by bc-pi)

https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/556- add a seventeen to the history (by bc-pi)https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/555

 1 pull requests received 1 new comments:
 - #555 add a seventeen to the history (1 by bc-pi)

https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/555

 5 pull requests merged:
 - MT in regular acks

https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/556- add a seventeen to the historyhttps://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/555- some updates resulting from late WG reviewhttps://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/553- shepherd review updateshttps://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/552- add a swift lib to Implementations listhttps://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/554

* oauth-wg/draft-ietf-oauth-status-list (+3/-0/💬1)
 3 pull requests submitted:
 - add diagram for Status List Aggregation for further explanation, rena… (by 
paulbastian)

https://github.com/oauth-wg/draft-ietf-oauth-status-list/pull/272- Add cddl for statuslist cbor encoding (by c2bo)https://github.com/oauth-wg/draft-ietf-oauth-status-list/pull/270- Clarify Status List definition (by paulbastian)https://github.com/oauth-wg/draft-ietf-oauth-status-list/pull/269

 1 pull requests received 1 new comments:
 - #270 Add cddl for statuslist cbor encoding (1 by rohanmahy)

https://github.com/oauth-wg/draft-ietf-oauth-status-list/pull/270

* oauth-wg/draft-ietf-oauth-attestation-based-client-auth (+1/-1/💬0)
 1 pull requests submitted:
 - initial formulation on server provided nonce (by paulbastian)

https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/99

 1 pull requests merged:
 - fix examples (missing typ)

https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth/pull/96


Repositories tracked by this digest:
-----------------------------------
* https://github.com/oauth-wg/oauth-browser-based-apps
* https://github.com/oauth-wg/oauth-identity-chaining
* https://github.com/oauth-wg/oauth-transaction-tokens
* https://github.com/oauth-wg/oauth-sd-jwt-vc
* https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata
* https://github.com/oauth-wg/oauth-cross-device-security
* https://github.com/oauth-wg/oauth-selective-disclosure-jwt
* https://github.com/oauth-wg/oauth-v2-1
* https://github.com/oauth-wg/draft-ietf-oauth-status-list
* https://github.com/oauth-wg/draft-ietf-oauth-attestation-based-client-auth


--
To have a summary like this sent to your list, see: 
https://github.com/ietf-github-services/activity-summary

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

[OAUTH-WG] Weekly github digest (OAuth Activity Summary)

Reply via email to