Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call for Adoption Finalized

I’d like to note that when Tony brought up it being Experimental on the list, several of us (myself included) pointed out that Informational is the correct designation for this specification. — Justin > On Feb 4, 2016, at 2:18 PM, Hannes Tschofenig > wrote: > > Hi all, > > On January 19th

Re: [OAUTH-WG] Proof of Possession Tokens: Next Steps

Hannes, thanks for your clarification. I believe what we need is more working group involvement and feedback and not more authors on the document. As I’ve explained off-list and on several times, the document didn’t move forward in the last year because there hadn’t been any discussion or reaso

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Discovery

I would personally be fine with just the .well-known discovery. I think in the earlier thread I was trying to make the argument that webfinger discovery is going to be based on the API that you are looking for and not generic OAuth. A generic OAuth rel per user doesn’t really make sense. A cl

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Discovery

I thought about this when doing the SCIM discovery document. Initially I only had cases for plain ./well-known. But I found there are two types of clients. I decided later that mobile and web apps have different needs. E.g. a mobile app might ask anonymously or on behalf of an already authenti

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Discovery

+1, if we define a webfinger/rel at all. I would rather we just define the service discovery document, the thing that lives under .well-known. — Justin > On Feb 4, 2016, at 4:01 AM, Roland Hedberg wrote: > > +1 > >> 4 feb 2016 kl. 08:10 skrev Phil Hunt : >> >> +1 for adoption. >> >> Howe

[OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-00.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : OAuth 2.0 for Native Apps Authors : William Denniss John Bra

[OAUTH-WG] I-D Action: draft-ietf-oauth-closing-redirectors-00.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol Working Group of the IETF. Title : OAuth 2.0 Security: Closing Open Redirectors in OAuth Authors : John Bradley

[OAUTH-WG] OAuth 2.0 Mix-Up Mitigation: My Impressions

Hi all, when I posted the call for adoption of the 'OAuth 2.0 Mix-Up Mitigation' solution I wasn't expecting such a heavy debate on the list. While the call for adoption is still ongoing I would like to share my view as someone who has to judge consensus in a few days together with Derek. Regard

[OAUTH-WG] Encoding claims in the OAuth 2 state parameter using a JWT and Stateless Client Identifier for OAuth 2: Call for Adoption Finalized

Hi all, On January 19th I posted a call for adoption of the 'Encoding claims in the OAuth 2 state parameter using a JWT' and of the 'Stateless Client Identifier for OAuth 2' specifications, see http://www.ietf.org/mail-archive/web/oauth/current/msg15406.html http://www.ietf.org/mail-archive/web/oa

[OAUTH-WG] OAuth 2.0 Device Flow: Call for Adoption Finalized

Hi all, On January 19th I posted a call for adoption of the OAuth 2.0 Device Flow specification, see http://www.ietf.org/mail-archive/web/oauth/current/msg15403.html The feedback at the Yokohama IETF meeting was very positive and also the response on the mailing list was positive. To conclude, b

[OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

Hi all, On January 19th I posted a call for adoption of the Authentication Method Reference Values specification, see http://www.ietf.org/mail-archive/web/oauth/current/msg15402.html What surprised us is that this work is conceptually very simple: we define new claims and create a registry with n

[OAUTH-WG] OAuth Open Redirector: Call for Adoption Finalized

Hi all, On January 19th I posted a call for adoption of the OAuth Open Redirector specification, see http://www.ietf.org/mail-archive/web/oauth/current/msg15401.html There was positive feedback during the Yokohama IETF meeting to work on security fixes and more than 10 persons responded positivel

[OAUTH-WG] OAuth 2.0 for Native Apps: Call for Adoption Finalized

Hi all, On January 19th I posted a call for adoption of the OAuth 2.0 for Native Apps specification, see http://www.ietf.org/mail-archive/web/oauth/current/msg15400.html There was very positive feedback during the Yokohama IETF meeting to work on this document in the OAuth working group. More tha

[OAUTH-WG] OAuth 2.0 Discovery: Call for Adoption Finalized

Hi all, On January 19th I posted a call for adoption of the discovery spec, see http://www.ietf.org/mail-archive/web/oauth/current/msg15404.html The feedback at the Yokohama IETF meeting was very positive and also the response on the mailing list was positive. Various people, Phil, Brian, and To

Re: [OAUTH-WG] Proof of Possession Tokens: Next Steps

Hi Kepeng, thanks for your input. > Yes, I am interested in this solution direction. > > Sender Constrained JWT is already indicated in PoP architecture document > as one of the solutions. That is correct. > > If we don’t specify it in detail, the solution set is incomplete. That's unfortuna

Re: [OAUTH-WG] Proof of Possession Tokens: Next Steps

Hi Justin, you have not been removed from the author list of the HTTP signing draft. Unfortunate wording in my mail below may have given you that impression but I would like to bring some additional people on board who expressed interest. As you know, it is also great if we get new people to volu

Re: [OAUTH-WG] Call for Adoption: Stateless Client Identifier for OAuth 2

I support it. I have always thought of this as informational. It is not the only way to do it, and has no real interoperability impact. John B. > On Feb 4, 2016, at 3:29 AM, Mike Jones wrote: > > I support adoption of this document by the working group as either an > experimental or informat

Re: [OAUTH-WG] Call for Adoption: Encoding claims in the OAuth 2 state parameter using a JWT

I support this too if I haven't already. > On Jan 19, 2016, at 8:50 AM, Hannes Tschofenig > wrote: > > > Hi all, > > this is the call for adoption of Encoding claims in the OAuth 2 state > parameter using a JWT, see > https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-05 > > Pl

Re: [OAUTH-WG] [Ace] Questions about OAuth and DTLS

In https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution The proof key is included in the access token or provided out of band. The proof mechanism to the RS is what would determine if the key type needs to match DTLS . If the proof is DTLS then they would need to match. POP wi

Re: [OAUTH-WG] [Ace] Questions about OAuth and DTLS

Thank you Michael! Comments inline. /Ludwig On 02/04/2016 03:31 PM, Michael Richardson wrote: Ludwig Seitz wrote: > Assuming we are using (D)TLS to secure the connection between C and RS, > assuming further that we are using proof-of-possession tokens [2], > i.e. tokens linked

Re: [OAUTH-WG] [Ace] Questions about OAuth and DTLS

Ludwig Seitz wrote: > Assuming we are using (D)TLS to secure the connection between C and RS, > assuming further that we are using proof-of-possession tokens [2], > i.e. tokens linked to a key, of which the client needs to prove possession in > order for the RS to accept the toke

Re: [OAUTH-WG] OAuth PoP Implementation

Hi Erik, responses inline. On 2/4/2016 4:20 AM, Erik Wahlström wrote: Hi, Good work Justin. I’ve also implemented (parts) of PoP tokens for the ACE WG oauth2 draft and made a lot of the same assumptions. See below. On 03 Feb 2016, at 23:47, Justin Richer > wrote:

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-signed-http-request-02.txt

Hi Justin IMHO it would be useful to consider dropping body hashes and simply using JWS filters to convert the body to/from JWS compact or even JSON on the fly. I recall there was some conversation before. People do want to stream the data end to end in today's web services. The idea of hashin

[OAUTH-WG] Questions about OAuth and DTLS

Hello list(s), in the process of updating our draft [1] (mainly in reaction to the reviewer's comments) I've come up with a question I'd like to put to the list (crossposting to OAuth as well, they might have considered that already): Assuming we are using (D)TLS to secure the connection bet

Re: [OAUTH-WG] OAuth PoP Implementation

Hi, Good work Justin. I’ve also implemented (parts) of PoP tokens for the ACE WG oauth2 draft and made a lot of the same assumptions. See below. > On 03 Feb 2016, at 23:47, Justin Richer wrote: > > Hi Everyone, > > I recently decided to put together an end to end implementation of at leas

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Discovery

+1 > 4 feb 2016 kl. 08:10 skrev Phil Hunt : > > +1 for adoption. > > However I would like a rel value distinct from OpenID (see separate email). > While the mechanics of discovery is the same, I believe some clients will > want to distinguish between OAuth AS’s and OIDC OPs. Further, I would

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Discovery

> 3 feb 2016 kl. 00:48 skrev Phil Hunt : > > > Item 2: rel value for webfinger > It seems to me while the discovery requirements for plain OAuth and OIDC are > the same for today that might not always be true. What will happen if OIDC > wants to add more stuff? Will plain oAuth sites have t

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Device Flow

+1 > 4 feb 2016 kl. 07:26 skrev Mike Jones : > > I support adoption of this document by the working group. > > -- Mike > > -Original Message- > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig > Sent: Tuesday, January 19, 2016 3:48

Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values

+1 > 20 jan 2016 kl. 23:07 skrev John Bradley : > > So if this is scoped to be a registry for the values of a JWT claim then it > is fine. > We should discourage people from thinking that it is part of the OAuth > protocol vs JWT claims. > > John B. > >> On Jan 20, 2016, at 6:29 PM, Mike Jone

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Security: OAuth Open Redirector

+1 > 4 feb 2016 kl. 07:25 skrev Mike Jones : > > I support adoption of this document by the working group. > > -- Mike > > -Original Message- > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig > Sent: Tuesday, January 19, 2016 3:48