Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

Hi On 12/04/16 14:03, Anthony Nadalin wrote: Specifications should be somewhat complete and not open ended/not thought out, you should think about the issues, requirements and use cases first before you try to force this into the working group process and confuse people , we had too many of these

Re: [OAUTH-WG] Regarding using resource indicator to solve resource config issue

Hi On 12/04/16 16:58, Phil Hunt (IDM) wrote: John's assertion that RI can be used to detect mis-configured clients would make it mandatory. This is an AS + RS decision, right (make the tokens bound to specific RSs only) ? So if the client wants to access RS with (from now on) stronger securit

Re: [OAUTH-WG] Regarding using resource indicator to solve resource config issue

I am fine with keeping it separate, however proper audience restriction of bearer tokens or POP tokens are key mechanisms to protect AT from miss use from a number of attacks. John B. > On Apr 12, 2016, at 12:06 PM, Phil Hunt (IDM) wrote: > > To be clear what I am saying... RI should be consid

Re: [OAUTH-WG] Regarding using resource indicator to solve resource config issue

Sorry I don’t recall agreeing that audience restricting the AT is not a remedy for an attacker getting the token to access a resource. I don’t quite follow that. John B. > On Apr 12, 2016, at 12:00 PM, Phil Hunt (IDM) wrote: > > > > Phil > >> On Apr 12, 2016, at 03:49, John Bradley wrote:

Re: [OAUTH-WG] Regarding using resource indicator to solve resource config issue

To be clear what I am saying... RI should be considered on its own merits as an optional protocol extension. I do not believe it has merit when linking it to client mis-configuration detection. The issues should be kept separate. Phil > On Apr 12, 2016, at 09:00, Phil Hunt (IDM) wrote: > >

Re: [OAUTH-WG] Regarding using resource indicator to solve resource config issue

Yes clients that are dynamically configured would need to check the returned resources, or send the resource if you want to detect misconfiguration. This check is at run time and can be enforced by the AS. A discovery check is fake-able if the web-finger URI is compromised. Likely in my opinio

Re: [OAUTH-WG] Regarding using resource indicator to solve resource config issue

Phil > On Apr 12, 2016, at 03:49, John Bradley wrote: > > We did agree in BA that if the client sends no resource the AS would audience > the AT per configured policy and reply to the client with additional > meta-data about what resources the AT can be used at. We also agreed that was not

Re: [OAUTH-WG] Regarding using resource indicator to solve resource config issue

John's assertion that RI can be used to detect mis-configured clients would make it mandatory. To avoid that we need a config time solution for misconfiguration. Phil > On Apr 12, 2016, at 01:30, Sergey Beryozkin wrote: > > Hi >> On 11/04/16 23:19, Phil Hunt (IDM) wrote: >> I am objecting t

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

Specifications should be somewhat complete and not open ended/not thought out, you should think about the issues, requirements and use cases first before you try to force this into the working group process and confuse people , we had too many of these specifications lately. We are now up to 15

Re: [OAUTH-WG] Call for Adoption: Resource Indicators for OAuth 2.0

+1 to Torsten’s point. And a reminder to Tony that call for adoption is the *start* of the document editing process, not the end. We’re not saying this is a complete solution with everything thought out when we adopt the document, we’re saying it’s a problem we want to work on and a direction t

Re: [OAUTH-WG] Meeting Minutes

That’s correct, we’ve filed an issue in our project to track its eventual implementation: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1055 — Justin > On Apr 11, 2016, at 8:21 AM

Re: [OAUTH-WG] Regarding using resource indicator to solve resource config issue

We did agree in BA that if the client sends no resource the AS would audience the AT per configured policy and reply to the client with additional meta-data about what resources the AT can be used at. It should be obvious that this is in no way a breaking change. The only clients that need to p

Re: [OAUTH-WG] Regarding using resource indicator to solve resource config issue

Hi On 11/04/16 23:19, Phil Hunt (IDM) wrote: I am objecting to modifying the protocol in the default case as a majority do not need RI in the case of fixed endpoints. Migration would be challenging because the change is breaking and affects existing clients. How does it break the existing clien