Re: [OAUTH-WG] OAuth2 attack surface....

On Mar 1, 2013, at 4:00 PM, prateek mishra wrote: Yup, use of confidential clients and full checking of redirect URIs would mitigate these attacks. I think there is an issue of providing guidance to developers/deployers, about making secure choices, that needs to be addressed someplace. A

Re: [OAUTH-WG] Registration: grant_types and response_types

Agreed, servers could enforce that combinations that don't make sense result in errors. BTW, OpenID Connect decided to keep both parameters for registration, since they're not actually orthogonal. While verbose, at least then the registration information about what grant types and response typ

Re: [OAUTH-WG] OAuth2 attack surface....

On Mar 1, 2013, at 4:00 PM, prateek mishra wrote: Yup, use of confidential clients and full checking of redirect URIs would mitigate these attacks. I think there is an issue of providing guidance to developers/deployers, about making secure choices, that needs to be addressed someplace. A test

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-03.txt

On 01/03/13 14:56, William Mills wrote: The new signature base string stuff still needs work, I wanted to tackle more major restructuring first. I want to pull all of those things out of the query string. Well, thanks for keeping replying, but I'm not closer to connecting the above response to

Re: [OAUTH-WG] OAuth2 attack surface....

Yup, use of confidential clients and full checking of redirect URIs would mitigate these attacks. I think there is an issue of providing guidance to developers/deployers, about making secure choices, that needs to be addressed someplace. A test suite would also be a good complement to a docum

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-03.txt

The new signature base string stuff still needs work, I wanted to tackle more major restructuring first.  I want to pull all of those things out of the query string.   From: Sergey Beryozkin To: William Mills Cc: "oauth@ietf.org" Sent: Friday, March 1, 201

[OAUTH-WG] Using access token in draft-ietf-oauth-v2-http-mac

Hi Hannes, the proposed Authenticator text says: "access_token CONDITIONAL. The access_token MUST be included in the first request from the client to the server but MUST NOT be included in a subsequent response and in a further protocol exchange. " Why MUST is there

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-http-mac-03.txt

I'm looking at [1] and I honestly don't follow what would adding JSON structure bring to the table, the text there is quite straight-forward, and the 'sorting' variable is not even there, may be, only if headers are *optionally* included when calculating 'mac'. Are you indirectly referring t