[OAUTH-WG] Publication requested for draft-ietf-oauth-v2-bearer-12

Hi Stephen, the OAuth working group requests publication of draft-ietf-oauth-v2-bearer-12 as Proposed Standard. Here is the write-up for the document. --- Document Shepherd Write-Up for draft-ietf-oauth-v2-bearer-12 (1.a) Who is the Document Shepherd

Re: [OAUTH-WG] Rechartering JSON based request.

Thanks George. Just to clarify the intent of this I-D : this I-D proposes the JSON request style to be adopted as part of OAuth so that the URI request parameters could be omitted. =nat On Fri, Oct 28, 2011 at 5:24 AM, George Fletcher wrote: > The main reason to include the OAuth parameters i

[OAUTH-WG] draft-ietf-oauth-v2-bearer-12: ABNF nits

The value should just be . The current ABNF implies you can include raw (unescaped) " and \ characters in the value (as they are chars in ) - but that breaks parsing. If the intention was not to allow senders to use escapes then needs to be <%x20-%x21 / %x23-5B / %x5D-7E>. If that is the intent

Re: [OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -12

Thank you Mike for your work on the specification and to get the feedback incorporated before the deadline. On Oct 28, 2011, at 12:01 AM, Mike Jones wrote: > Draft 12 of the OAuth 2.0 Bearer Token Specification has been published. I > believe that the chairs will be submitting this version to

[OAUTH-WG] OAuth 2.0 Bearer Token Specification Draft -12

Draft 12 of the OAuth 2.0 Bearer Token Specification has been published. I believe that the chairs will be submitting this version to the IESG. It contains the following changes: * Made non-normative editorial changes that Hann

[OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-12.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : The OAuth 2.0 Authorization Protocol: Bearer Tokens Author(s) : Michael B. Jones

Re: [OAUTH-WG] Rechartering JSON based request.

The main reason to include the OAuth parameters in the request is to ensure that the request object was not modified in transit since the JSON request object can be signed. Agreed that it would be simpler if OAuth adopted the JSON request style. Thanks, George On 10/27/11 1:33 PM, tors...@lod

Re: [OAUTH-WG] Rechartering JSON based request.

Mike, Why can't the same access token be used for both services? Is it because the services have different security systems and demand different tokens? Why not a single token for both? Phil @independentid www.independentid.com phil.h...@oracle.com On 2011-10-27, at 10:55 AM, Mike Jones

Re: [OAUTH-WG] Rechartering JSON based request.

In OpenID Connect, the two tokens are used to access two different sets of resources: the "id_token" for claims about the logged-in session and the "code" token to access the UserInfo endpoint for claims about the user. FYI, see http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html

Re: [OAUTH-WG] Rechartering JSON based request.

John, What is the reason behind having a separate ID_Token from the access Token? I understand the tokens are used to retrieve different information, but not sure I fully understand why separate tokens are needed. I ask because I recall others have asked for multi-token response….trying to un

Re: [OAUTH-WG] Rechartering JSON based request.

Hi John, why do you need to include the OAuth request parameters into the JSON document? I would expect OpenId Connect to extend OAuth none-intrusively. This would mean to use the JSON document for OpenId connect specific parameters only. Alternatively, the JSON request style could be adopted a

Re: [OAUTH-WG] Rechartering JSON based request.

Hopefully to make it more compatible with existing OAuth 2 libraries.At least leave open the possibility of dealing with it at a higher level. The argument has been made that you probably need to modify the library anyway to check that the duplicate parameters are a match. If there is conse

Re: [OAUTH-WG] Rechartering JSON based request.

Many thanks for pointing this! It is *absolutely* (not "probably") worth studying. Igor On 10/26/2011 6:31 PM, John Bradley wrote: Nat and I just refreshed the I-D for draft-sakimura-oauth-requrl. It is essentially a standardization of the method we are using in openID Connect to make sign

Re: [OAUTH-WG] Rechartering JSON based request.

On 10/26/2011 6:31 PM, John Bradley wrote: ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-revocation-03.txt

Hi Craig, thanks for your comment. The revocation endpoint uses the same authentication policy as the core spec. Confidential client must authenticate using their client secret (or any other credential). The end-user's credentials are not involved at all. regards, Torsten. Am 27.10.2011