+1
Phil
> On Nov 3, 2014, at 16:07, Bill Mills wrote:
>
> We need to think about this, and whatever we build in this space should work
> for POP tokens as well. I'd love to hear the concrete use cases and problems
> to be solved.
>
>
>
> POP tokens (like OAuth 1.0a) are likely not to be p
We need to think about this, and whatever we build in this space should work
for POP tokens as well. I'd love to hear the concrete use cases and problems
to be solved.
POP tokens (like OAuth 1.0a) are likely not to be proxyable, so the edge
servers really should have a way to get a new cre
There's a new working group document where this component *could* be captured
(and I would argue it should), and that's:
https://tools.ietf.org/wg/oauth/draft-ietf-oauth-token-exchange/
However, at the moment it's more concerned with the semantically-aware
assertion swap instead of an opaque to
Alissa,
Could you take a look at your discuss and see if you agree it can be
cleared? It looks like your suggestions were all incorporated into
section 12. Privacy Considerations.
https://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/
Thank you,
Kathleen
On Sat, Oct 25, 2014 at 2:33
Dear OAuth group members,
A couple weeks ago I submitted the Audit in OAuth 2.0 draft to IETF
http://www.ietf.org/id/draft-tsitkov-audit-00.txt. Because the name of the
file is missing an "-oauth-“ component, it does not show up in the
http://datatracker.ietf.org/wg/oauth/documents/ list. I in
Strictly speaking the JWT is signed by the "iss" identity provider's private
key and validated by the client using the identity providers public key.
Though lots of documents talk about signing with "public keys" using the term
more conceptually.
You could say "signed by the private portion
I believe there are now 3 independently written drafts.
No working group work has been done.
Maybe it is time for the WG to work on this?
It just doesn't seem to have as much priority as other issues like proof of
possession tokens.
Phil
> On Nov 3, 2014, at 03:02, Bas Zoetekouw wrote:
>
ops sorry forget about it… of course this is correct… For some reason I read
"signed with the identity provider's public key” :)
regards
antonio
On Nov 3, 2014, at 8:27 PM, Antonio Sanso wrote:
> nice stuff Justin.
> Little nitpicking: is just me or this sounds a bit weird "signed by the
> id
nice stuff Justin.
Little nitpicking: is just me or this sounds a bit weird "signed by the
identity provider's public key” ?
regards
antonio
On Nov 3, 2014, at 5:30 AM, Justin Richer wrote:
> As of earlier this evening, I've published the article that we've been
> working on about dealing w
Hi All,
For a client of ours, I am looking into OAuth token redelegation from
one RS to another. I've found two drafts that more or less describe the
scenario they want to implement:
https://tools.ietf.org/html/draft-richer-oauth-chain-00 and
http://tools.ietf.org/html/draft-hunt-oauth-chain-01
C
Hi Justin,
On 03/11/14 04:30, Justin Richer wrote:
As of earlier this evening, I've published the article that we've been
working on about dealing with OAuth and end-user authentication. It's
available here:
http://oauth.net/articles/authentication/
Huge thanks to everyone who commented on the
Facebook also has a "code" flow that uses a introspection call that is
precisely an example of the OAuth 2.0 + a-bit-of-luck type of login that
I was asking about earlier in this thread:
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2
Hans.
On 11/2/14, 9:1
12 matches
Mail list logo
