Re: [OAUTH-WG] Device profile usage

2013-05-28 Thread Vincent Tsang
The client is a native windows application, for instance, a document editor like MS Word. The editor can upload copies to the cloud (e.g. Amazon S3), then record the version history and notes associated with each cloud copy to our cloud service via our cloud application API (to be secured by OAuth

Re: [OAUTH-WG] Device profile usage

2013-05-28 Thread Nat Sakimura
A little more application and user context would help. A use case, so to speak. Nat 2013/05/29 12:04、Vincent Tsang のメッセージ: > Hi Hannes, > > Thanks for your reply. > Actually I am new to OAuth and am simply trying to search for the best > industrial practice for granting access tokens when the

Re: [OAUTH-WG] Device profile usage

2013-05-28 Thread Vincent Tsang
Hi Hannes, Thanks for your reply. Actually I am new to OAuth and am simply trying to search for the best industrial practice for granting access tokens when the client to our application API is a simple windows applications, which in most cases runs on PC's with web browser installed. Therefore th

Re: [OAUTH-WG] Implicit clients in Dynamic Registration

2013-05-28 Thread Phil Hunt
It is my strong opinion that giving each execution a client_id makes things much worse. Again now we cant tell who the risky players are since each client is anonymized through registration process. This is just not securable by any means. IMHO. Phil On 2013-05-28, at 8:42, Justin Richer

Re: [OAUTH-WG] JWT: add "iss" and "aud" to Reserved Header Parameter Names in JWE

2013-05-28 Thread Dick Hardt
Following up on this topic ... On Wed, May 1, 2013 at 2:12 PM, Dick Hardt wrote: > "iss" and "aud" would be optional parameters in a JWE. These parameters > are in the payload, but since it is encrypted, the payload must be > decrypted before they can be read. Some times knowing these parameter

Re: [OAUTH-WG] Implicit clients in Dynamic Registration

2013-05-28 Thread Justin Richer
The main problem comes with establishing the client_id across multiple auth servers, not across multiple copies of the code. One of the key things that the DynReg spec does is establish a client_id for a client at an AS, and indeed the trigger condition for using it is generally "I'm a client a

[OAUTH-WG] FW: JOSE -11 drafts and JWT -08 released

2013-05-28 Thread Mike Jones
From: Mike Jones Sent: Tuesday, May 28, 2013 8:11 AM To: j...@ietf.org Subject: JOSE -11 drafts and JWT -08 released The -11 drafts of the JSON Object Signing and Encryption (JOSE) specifications have been released that incorporate the changes agreed to at

Re: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt

2013-05-28 Thread Justin Richer
Torsten, thanks for the review. Comments inline. On 05/27/2013 03:03 PM, Torsten Lodderstedt wrote: Hi Justin, the drafts looks very good. Just some questions/comments from my side: section 1.4 How is the client supposed to identify/distinguish authorization servers? Based on the Client Reg

[OAUTH-WG] I-D Action: draft-ietf-oauth-json-web-token-08.txt

2013-05-28 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : JSON Web Token (JWT) Author(s) : Michael B. Jones John Bradley