- Concern that 3 and 3.1 do not clearly show a way for a native client to
provide client_id (to identify the client only) without doign authentication.
Proposed new text, insert in bold:
"In addition, the authorization server MAY allow unauthenticated access
token requests when the cli
Resending to the list from my subscribed account...
Begin forwarded message:
> From: Skylar Woodward
> Date: May 23, 2011 6:14:00 PM PDT
> To: Skylar Woodward
> Cc: Eran Hammer-Lahav , OAuth WG
> Subject: Re: [OAUTH-WG] issues with token age element - MAC token
>
> So after discussing this to
On Mon, May 23, 2011 at 1:44 PM, Skylar Woodward wrote:
> Just for the record, I spoke with Marius just now and they'll be using Eran's
> suggested URN for this (as well as 'oob' as a non-complient alias):
>
> urn:ietf:wg:oauth:2.0:oob
>
> Still remains to be codified in some way as an off
Just for the record, I spoke with Marius just now and they'll be using Eran's
suggested URN for this (as well as 'oob' as a non-complient alias):
urn:ietf:wg:oauth:2.0:oob
Still remains to be codified in some way as an official suggestion. Would this
belong in the core spec?
skylar
O
Answers inline:
Not sure how to interpret the authorization header grammar described in section
2.1. The intent seems to be for something like:
Bearer dfgh76dfghdfg
After the scheme name, "Bearer", there is a required whitespace followed by the
actual token. The token is represented by a seq
The working group explicitly decided that a different name should be used, to
make it clear that other token types other than bearer tokens could also be
used with OAuth 2.
-- Mike
From: oauth-boun...@ietf.org [mailto:oauth-boun...@iet
As promised, here is a good description:
http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/.
Igor
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
On Mon, May 23, 2011 at 10:49 AM, Doug Tangren wrote:
> Thanks It would be nice to have
> in http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-6
Section 6 is about using a refresh token to get a new access token.
Expired access tokens don't make sense in this case.
Using access tokens to
Thanks It would be nice to have in
http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-6
-Doug Tangren
http://lessis.me
On Mon, May 23, 2011 at 1:47 PM, Marius Scurtescu wrote:
> On Mon, May 23, 2011 at 10:29 AM, Doug Tangren
> wrote:
> > Im on skype, and the audio is kind of choppy. wit
On Mon, May 23, 2011 at 10:29 AM, Doug Tangren wrote:
> Im on skype, and the audio is kind of choppy. with regard to the status
> codes as error values, which is the proper error code to use when an access
> token expires. Can someone bring that question up?
The error code would be "invalid_token
On 5/23/11 11:29 AM, Doug Tangren wrote:
> Im on skype, and the audio is kind of choppy.
I'm dialed in via PSTN and it's not bad.
> with regard to the status
> codes as error values, which is the proper error code to use when an
> access token expires. Can someone bring that question up?
>
> Al
Im on skype, and the audio is kind of choppy. with regard to the status
codes as error values, which is the proper error code to use when an access
token expires. Can someone bring that question up?
Also, is there an irc channel to log into for this meeting. I may be easier
to type in my comments
ok. I'll going to run for lunch and sneak quietly in on the conf call ~ 10
(1 for me).
-Doug Tangren
http://lessis.me
On Mon, May 23, 2011 at 12:22 PM, Brian Campbell wrote:
> Looks like they are starting now.
>
> On Mon, May 23, 2011 at 9:35 AM, Doug Tangren wrote:
> > For those joining remo
Looks like they are starting now.
On Mon, May 23, 2011 at 9:35 AM, Doug Tangren wrote:
> For those joining remotely does the meeting actually start @ 9 or 10. I
> looks like there's an hour of breakfast at 9 (pst). I'm in nyc so that's my
> lunch time.
>
> -Doug Tangren
> http://lessis.me
>
>
> O
One more thing (that may be obvious) and assuming the URI change is
okay, Eran, can you update the example post body in section 4.5
(http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-4.5) to
reflect the URI change in the next draft?
grant_type=http%3A%2F%2Foauth.net%2Fgrant_type%2Fsaml%
For those joining remotely does the meeting actually start @ 9 or 10. I
looks like there's an hour of breakfast at 9 (pst). I'm in nyc so that's my
lunch time.
-Doug Tangren
http://lessis.me
On Sun, May 22, 2011 at 1:40 PM, David Recordon wrote:
> If you're planning to attend in person then yo
I wanted to respond to this comment (sorry it's a few months later) to
say that those security considerations are important but I believe
they are already covered by the normative language in the SAML-bearer
spec as well as the references to the SAML Core and the SAML Security
and Privacy Considera
These changes touch on, but don't necessarily address, some
questions/comments from Peter Saint-Andre raised a while back.
Here's the last message in that thread:
http://www.ietf.org/mail-archive/web/oauth/current/msg05741.html
Peter (or anyone really), any additional thoughts on those items? Do
-04 is up already at
http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-04 and the
changes are pretty minor:
-- (from Appendix B. Document History) --
o Changed the grant_type URI from
"http://oauth.net/grant_type/assertion/saml/2.0/bearer"; to
"http://oauth.net/grant_type/sa
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Open Authentication Protocol Working Group of
the IETF.
Title : SAML 2.0 Bearer Assertion Grant Type Profile for
OAuth 2.0
Author(s) : Chuck Mortimore
You may have noticed, on page 8 the host is listed as "example.net" - should be
example.com, I believe. (draft v5)
All in all, I'm in support of the changes in v2. Certainly addresses my
hesitations from v2.
skylar
On May 9, 2011, at 12:36 PM, Eran Hammer-Lahav wrote:
> (Please discuss this
21 matches
Mail list logo
