Re: [OAUTH-WG] Call for adoption: OAuth Security Topics

2017-02-03 Thread Jim Manico
I'm just some random idiot am an not in this working group but the work from https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00 is one of the most up to date and useful OAuth security resources every publis

Re: [OAUTH-WG] OAuth for institutional users

2017-02-03 Thread Yunqi Zhang
In addition, what is the common practice for granting access to nested resources? For example, is it possible to grant read-only access to https://hostname/users/1234/ to user "1234" after login, but no access to other users' data like https://hostname/users/5678/? Thank you very much!

Re: [OAUTH-WG] OAuth for institutional users

2017-02-03 Thread Yunqi Zhang
Thank you very much guys. What is the trade off between using nested resources (e.g., https://hostname/users/:user_id/records/:record_id/) v.s. flattened resources (e.g., https://hostname/users/:user_id/ and https://hostname/records/:record_id/)? Thank you! Yunqi On Fri, Feb 3, 2017 at 9:53 AM,

Re: [OAUTH-WG] OAuth for institutional users

2017-02-03 Thread Justin Richer
Hi Denis, The book is being published very shortly and the text is completed, so there aren't any more updates to be made to it. Additionally, this isn't really the forum for comments on the book (there's an online form for discussion if you're interested: https://forums.manning.com/forums/oa

[OAUTH-WG] draft-ietf-oauth-pop-key-distribution

2017-02-03 Thread Mészáros Mihály
Hi, Your draft says in https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02#section-4.2 The 'key' parameter either contains a plain JWK structure or a JWK encrypted with a JWE. But not mentioning that plain JWK is base64url encoded. In the same section in the example in

Re: [OAUTH-WG] Last Call: (The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)) to Proposed Standard

2017-02-03 Thread Denis
*Comments on I-D Action: draft-ietf-oauth-jwsreq-11.txt* Two editorial comments first : 1. Guidance is a mass noun, not a count noun, plural doesn't make sense. Please change "guidances" into "guidance" twice in Section 11. 2. In Section 12 : Please remove my name (Denis Pinkas) from this sec

Re: [OAUTH-WG] Alexey Melnikov's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS and COMMENT)

2017-02-03 Thread Alexey Melnikov
On Thu, Feb 2, 2017, at 06:05 PM, Mike Jones wrote: > I was planning to stay with the characters specified in 6.1 (a) > https://tools.ietf.org/html/draft-ietf-oauth-amr-values-05#section-6.1: > >a. require that Authentication Method Reference values being >registered use only printabl