Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata
I support adoption On Aug 23, 2023, at 3:01 PM, Rifaat Shekh-Yusef wrote: All, This is an official call for adoption for the Protected Resource Metadata draft: https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/ Please, reply on the mailing list and let us know if you are in favor of adopting this draft as WG document, by Sep 6th. Regards, Rifaat & Hannes ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Call for adoption - Transaction Token
I support adoption of the Transaction Token draft. - Mike -- Michael Schwartz Janssen Project Lackey https://github.com/JanssenProject/jans <--- Please Star on Github ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] Re: OAuth Digest, Vol 198, Issue 21
I very much support moving the Token Status List draft forward. Gluu (via Janssen Project) has already implemented the draft spec and we've found it to be an invaluable new tool in our toolbox. Mike -- Michael Schwartz Gluu Founder/CEO https://www.linkedin.com/in/nynymike On Mon, Apr 7, 2025 at 11:11 PM wrote: > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via email, send a message with subject or > body 'help' to > oauth-requ...@ietf.org > > You can reach the person managing the list at > oauth-ow...@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > Today's Topics: > >1. Re: Second WGLC for Token Status List (Brian Campbell) >2. Re: Second WGLC for Token Status List (Steffen Schwalm) > > > -- > > Message: 1 > Date: Mon, 7 Apr 2025 13:49:27 -0600 > From: Brian Campbell > Subject: [OAUTH-WG] Re: Second WGLC for Token Status List > To: Steffen Schwalm > Cc: "torsten=40lodderstedt@dmarc.ietf.org" > , oauth > Message-ID: > 5ozgqetcuvb1xjjlwjnmevpl1qyhjxwfpp7li...@mail.gmail.com> > Content-Type: multipart/alternative; > boundary="4922c80632358abc" > > On Thu, Apr 3, 2025 at 11:33 AM Steffen Schwalm > > wrote: > > > I strongly oppose against moving forward the specification as Issues > still > > open. > > > > > > > >1. There´s no documented decision on the well-known x509 issue – > >beside the wishes of the authors > > > > > Having seen and participated in discussion of the issue on the mailing > list, at "unofficial" events with WG participants, and at official events > with WG participants - the decision was very clearly based on the wishes of > the rough consensus of the WG participants. Speaking as an individual, of > course. > > > > > >1. > >2. Still wait for information from chairs where and how to solve issue > >when not in TokenStatusList > >3. Means TokenStatusList contains privacy issue in case used for > >Attestatiosn of attributes in eIDAS > > > > > > > > > > > > *Von:* Kristina Yasuda > > *Gesendet:* Mittwoch, 2. April 2025 00:22 > > *An:* ANTHONY NADALIN > > *Cc:* torsten=40lodderstedt@dmarc.ietf.org; oauth > > *Betreff:* [OAUTH-WG] Re: Second WGLC for Token Status List > > > > > > > > *Caution:* This email originated from outside of the organization. > > Despite an upstream security check of attachments and links by Microsoft > > Defender for Office, a residual risk always remains. Only open > attachments > > and links from known and trusted senders. > > > > I support moving this specification forward. It is a crucial building > > block for lifecycle management of different tokens/credentials. > > > > > > > > On Tue, Apr 1, 2025 at 9:42 PM ANTHONY NADALIN > > wrote: > > > > support this moving forward as we need this in ISO > > > > > > > > Get Outlook for Android <https://aka.ms/AAb9ysg> > > -- > > > > *From:* torsten=40lodderstedt@dmarc.ietf.org > 40lodderstedt@dmarc.ietf.org> > > *Sent:* Tuesday, April 1, 2025 11:38:22 AM > > *To:* oauth ; Rifaat Shekh-Yusef < > rifaat.s.i...@gmail.com> > > *Subject:* [OAUTH-WG] Re: Second WGLC for Token Status List > > > > > > > > Hi, > > > > I support moving this spec forward. > > > > > > > > best regards, > > > > Torsten. > > > > Am 24. März 2025, 13:41 +0100 schrieb Rifaat Shekh-Yusef < > > rifaat.s.i...@gmail.com>: > > > > All, > > > > This is a *second WG Last Call* for the *Token Status List* document: > > https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/ > > > > Please, review this document and reply on the mailing list if you have > any > > comments or concerns, by *April 7th*. > > > > Regards, > > Rifaat & Hannes > > > > > > > > ___ > > OAuth mailing list -- oauth@ietf.org > > To unsubscribe send an email to oauth-le...@ietf.org > > > > ___ > > OAuth mailing list -- oauth@ietf.org > > To unsubscribe send an email to oauth-le...@
[OAUTH-WG] Re: Regarding issuing refresh tokens for PKCE based OAuth grant flow
Srinivas, I think what you're getting at is that you don't want to issue a refresh token to an unauthenticated client, for example a browser client where you can't protect the secret. As Aaron alluded, PKCE is like a state param--it's never a bad idea. Have you considered using DCR for the browser based client? In this case, a locally created private key only identifies that one browser session--so the blast radius of leakage is minimal. Once you have a properly registered client, then you could use private_key_jwt client authn at the token endpoint as Emelia suggests. You could include an SSA in the browser based application (presented during DCR) to identify the scopes allowed, expiration and any other app-specific metadata. You might want to set a short time for the client lifetime so you don't have a bunch of unused client entities in your AS. For example, maybe browser-based clients should expire after one day. I know some people feel like too many client entities in the AS is somehow bad... but personally for high value transactions, I think it's a manageable expense. We can train LLMs, but we can't afford a few extra bits in the database to track the software performing sensitive transactions on our behalf? This would be a great topic for discussion on the IOH Livestream: https://gluu.co/ioh-home :-) - Mike ------ Michael Schwartz Gluu Founder/CEO m...@gluu.org https://www.linkedin.com/in/nynymike -- *CONFIDENTIALITY NOTICE* This message may contain confidential or legally privileged information. If you are not the intended recipient, please immediately advise the sender by reply e-mail that you received this message, and delete this e-mail from your system. Thank you for your cooperation ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
[OAUTH-WG] Re: Token Status List Shepherd Write-up - Implementations
Christian, We implemented Session Status List in Janssen Auth Server: https://docs.jans.io/head/janssen-server/auth-server/endpoints/session-status-list/ Also, we have a PR for Status List token validation in the Cedarling PDP which is almost done: https://github.com/JanssenProject/jans/pull/11520 - Mike -- Michael Schwartz Gluu Founder/CEO m...@gluu.org https://www.linkedin.com/in/nynymike On Mon, Jun 2, 2025 at 9:37 AM wrote: > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via email, send a message with subject or > body 'help' to > oauth-requ...@ietf.org > > You can reach the person managing the list at > oauth-ow...@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > Today's Topics: > >1. Re: Token Status List Shepherd Write-up - Implementations > (Christian Bormann) >2. Re: OAuth 2.1 Draft version 12 expired 19.05.2025 > (Antic Kristian (C/CYG-GE)) > > > -- > > Message: 1 > Date: Mon, 2 Jun 2025 15:02:18 +0200 > From: Christian Bormann > Subject: [OAUTH-WG] Re: Token Status List Shepherd Write-up - > Implementations > To: Rifaat Shekh-Yusef > Cc: oauth > Message-ID: <52afa656-490e-4a1e-a90b-1481ad07d...@gmx.de> > Content-Type: multipart/alternative; > boundary="Apple-Mail=_814837D8-8D6F-44E8-9B9B-0B27BDC45877" > > Hi Rifaat, > > We have a small list of open source implementations that we are aware of > and which agreed to being added to our repository: > > https://github.com/oauth-wg/draft-ietf-oauth-status-list?tab=readme-ov-file#implementations-open-source > > Regards, > Christian > > > On 1. Jun 2025, at 14:04, Rifaat Shekh-Yusef > wrote: > > > > All, > > > > As part of the shepherd write-up for the Token Status List document, > > we are looking for information about implementations of this draft. > > > > https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/ > > > > Please, reply to this email, on the mailing list, with any > implementations that you are aware of to support this document. > > > > Regards, > > Rifaat > > ___ > > OAuth mailing list -- oauth@ietf.org > > To unsubscribe send an email to oauth-le...@ietf.org > > -- next part -- > A message part incompatible with plain text digests has been removed ... > Name: not available > Type: text/html > Size: 1492 bytes > Desc: not available > > -- > > Message: 2 > Date: Mon, 2 Jun 2025 14:36:48 + > From: "Antic Kristian (C/CYG-GE)" > Subject: [OAUTH-WG] Re: OAuth 2.1 Draft version 12 expired 19.05.2025 > To: Aaron Parecki , Rifaat > Shekh-Yusef > Cc: "oauth@ietf.org" > Message-ID: PRD10.PROD.OUTLOOK.COM> > Content-Type: multipart/alternative;boundary="_000_DB9PR10MB80762E > CF2748CA29098F2569A162ADB9PR10MB8076EURP_" > > Hi, > > thank you both for your quick reply and Aaron for the updated draft > version (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13) > > Mit freundlichen Grüßen / Best regards > > Kristian Antic > > Cyber Security - Governance Enterprise IT (C/CYG-GE) > Robert Bosch GmbH | Postfach 30 02 20 | 70442 Stuttgart | GERMANY | > www.bosch.com<http://www.bosch.com/> > kristian.an...@de.bosch.com<mailto:kristian.an...@de.bosch.com> > > Sitz: Stuttgart, Registergericht: Amtsgericht Stuttgart, HRB 14000; > Aufsichtsratsvorsitzender: Prof. Dr. Stefan Asenkerschbaumer; > Geschäftsführung: Dr. Stefan Hartung, Dr. Christian Fischer, Dr. Markus > Forschner, > Stefan Grosch, Dr. Markus Heyn, Dr. Frank Meyer, Katja von Raven, Dr. > Tanja Rückert > > From: Aaron Parecki > Sent: Wednesday, May 28, 2025 4:07 PM > To: Rifaat Shekh-Yusef > Cc: Antic Kristian (C/CYG-GE) ; > oauth@ietf.org > Subject: Re: [OAUTH-WG] Re: OAuth 2.1 Draft version 12 expired 19.05.2025 > > I've been working on related documents, mainly the OAuth for Browser Apps > BCP, and haven't come back around to this one in a while. > > I just published an update that fixes some references including updating > the Security BCP references to RFC 9700, so it shows as an active draft > again. > > Aaron > > > On Fri, May 23, 2025 at 4:09 AM Rifaat Shekh-Yusef < > rifaat.s.i...@gmail.com<mailto:rifaat.s.i...@gmail.com>>
