Re: [OAUTH-WG] OAuth in the news again....

I think the motion here is going to be social/legal and not standards based.   We can preach on this all we want, but in the end folks like the EFF and major privacy watchdogs will carry the water here. On Monday, December 1, 2014 5:02 PM, Nat Sakimura wrote: Indeed, and there are c

Re: [OAUTH-WG] OAuth in the news again....

Indeed, and there are commercial incentives for it. I have doubts about the legal effectiveness of such consent but that is the de-facto situation right now. On the longer run, there are initiatives like information sharing and consent WG at Kantara and ISO/IEC SC 27/WG 5 study group on notice and

Re: [OAUTH-WG] OAuth in the news again....

Mis-stated perhaps, but it's highlighting a core problem we punt on at the protocol layer.  FB as the example here tries to make teh friction of using a FB login as low as possible, and so the user consent stuff is dialed down to the very minimum of acceptable.  This is the common pattern, get a

Re: [OAUTH-WG] draft-ietf-oauth-introspection

> 1. Is the metadata (introspection response) being returned from the > authorization endpoint or from the token or a combination of both ? As I said below, ultimately it’s about the token and what it represents. If the token was issued through use of the authorization endpoint, then it’s

Re: [OAUTH-WG] OAuth in the news again....

The article is mislead in multiple ways. At its heart, it has nothing to do with the OAuth but the problem of explicit consent model, that people are trained to click "accept". Apparently, she did give her authorization to pull her profile to create Zoosk account. She did the on-the-fly provisionin

Re: [OAUTH-WG] draft-ietf-oauth-introspection

Thanks for the update, there are still some unclear points 1. Is the metadata (introspection response) being returned from the authorization endpoint or from the token or a combination of both ? 2. "context" there may be no context other than the token, are you expecting the author

[OAUTH-WG] Milestones changed for oauth WG

Changed milestone "Submit 'OAuth 2.0 Token Exchange' to the IESG for consideration as a Proposed Standard", set state to active from review, accepting new milestone. URL: http://datatracker.ietf.org/wg/oauth/charter/ ___ OAuth mailing list OAuth@ietf.or

[OAUTH-WG] Milestones changed for oauth WG

Changed milestone "Submit 'OAuth 2.0 Dynamic Client Registration Management Protocol' to the IESG for consideration as an Experimental RFC", set state to active from review, accepting new milestone. Changed milestone "Submit 'Symmetric Proof of Possession (SPOP) for the OAuth Authorization Code Gr

Re: [OAUTH-WG] OAuth in the news again....

Yes, this is the story. Sorry for including the wrong link. We can find out what the issue was but that wasn't necessarily my point. The problem is that there is unfortunately little understanding about the different layers and responsibilities involved. I think there is something to write about

Re: [OAUTH-WG] OAuth in the news again....

One thing to think about is that often people are talking in different ways about the same thing. E.g. in the article, people are talking about authentication as a service, where as in the IETF we talk about authentication as a protocol. Mike, Tony, and I ran into this when we named the draft “

Re: [OAUTH-WG] OAuth in the news again....

Hannes, I think this may be the link you were trying to share. http://www.cbc.ca/m/touch/news/story/1.2844953 I suspect the problem was the profile ID leaking via a ad rather than anything to do with OAuth as she never logged in. John B. > On Dec 1, 2014, at 1:25 PM, Hannes Tschofenig > w

Re: [OAUTH-WG] OAuth in the news again....

that link does not contain the quoted text.  Also the quoted text isn't wrong when you look at the FB OAuth usage and how users actually use it. On Monday, December 1, 2014 8:42 AM, Kathleen Moriarty wrote: Hi Hannes, When something is written up and agreed upon, I'd recommend that

Re: [OAUTH-WG] OAuth in the news again....

Hi Hannes, When something is written up and agreed upon, I'd recommend that we tweet about it in force to get the writeup some attention in an effort to help prevent this in the future. I could blog about it in the IESG blogs too if helpful. On Mon, Dec 1, 2014 at 11:25 AM, Hannes Tschofenig wr

[OAUTH-WG] OAuth in the news again....

Hi all, I fear we have to write another article to clarify what OAuth does and what it does not do based on the misinformation spread with this recent article: http://www.techopedia.com/definition/26694/oauth A quote from that article: " Graham Williams, a Vancouver-based technology expert, point

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-dyn-reg-management-05

Inline > On Dec 1, 2014, at 11:34 AM, Hannes Tschofenig > wrote: > > Hi John, > > thanks for jumping in. > > On 12/01/2014 01:18 PM, John Bradley wrote: >> Hannes, >> >> You seem not to like the idea of client credential rotation. > > It is not that I do not like it but I would like to accom

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-dyn-reg-management-05

Hi John, thanks for jumping in. On 12/01/2014 01:18 PM, John Bradley wrote: > Hannes, > > You seem not to like the idea of client credential rotation. It is not that I do not like it but I would like to accomplish a few things with my shepherd review: * Ensure that the document is consistent

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-dyn-reg-management-05

Hannes, You seem not to like the idea of client credential rotation. This is something we have wrestled with from the very beginning of Connect Dynamic client registration. In the early drafts we re-used the client secret for authentication to the registration/update endpoint. That was reject

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-introspection-01.txt

Oh, thanks, that is supposed to be explicitly stated! Yes, it's form parameters.  -- Justin / Sent from my phone / Original message From: Sergey Beryozkin Date:12/01/2014 5:57 AM (GMT-05:00) To: oauth@ietf.org Cc: Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-

[OAUTH-WG] Access token response in application/jwt format

Hi OIDC UserInfo endpoint supports returning UserInfo directly in JSON or JWS and/or JWE encoded. It is not only useful for OIDC RP clients but also allows for supporting a proper HTTP content negotiation, example, the implementation of OIDC UserInfo endpoint has a better choice of where an o

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-introspection-01.txt

On 01/12/14 10:56, Sergey Beryozkin wrote: Hi Justin Nicely written text, as usual. Few comments: - I haven't found a reference to a data format of POST requests. I'm presuming it is going to be a form payload (would mean the server code can write more or less the same code dealing with POST & G

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-introspection-01.txt

Hi Justin Nicely written text, as usual. Few comments: - I haven't found a reference to a data format of POST requests. I'm presuming it is going to be a form payload (would mean the server code can write more or less the same code dealing with POST & GET queries) ? - consider directly specifyi

[OAUTH-WG] WGLC on "OAuth Token Introspection"

Hi all, as discussed at the last IETF meeting we are also starting a working group last call for the token introspection specification. Here is the document: http://tools.ietf.org/html/draft-ietf-oauth-introspection-01 Please send you comments to the OAuth mailing list by December 15, 2014. Cia

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-dyn-reg-management-05

Hi Justin, a few comments inline: On 11/26/2014 02:32 PM, Justin Richer wrote: > And by “6790” below I obviously mean RFC6749. > > (Note to self, don’t write working group emails this early in the morning.) > > — Justin > > On Nov 26, 2014, at 8:31 AM, Justin Richer >

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-dyn-reg-management-05

Hi Justin, thanks for making the change in the upcoming version. Ciao Hannes On 12/01/2014 03:21 AM, Justin Richer wrote: > Hannes, > > I’ve had a chance to more thoroughly re-read both the drafts and your > notes, I think you’re actually correct about the IANA registration. We > register “cli