Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-10.txt

The privacy matter is already mentioned. Despite your many messages to this WG and others about the so called ABC attack, I do not believe it warrants treatment in this document or others. And your continued proposals to have it included in documents have not gotten support. On Fri, Dec 8, 2017 at

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-10.txt

RFC 3552 (Guidelines for Writing RFC Text on Security Considerations) states: All RFCs are required by RFC 2223 to contain a Security Considerations section.The purpose of this is both to encourage document authors to consider security in their designs and to inform the reader of relevant securi

Re: [OAUTH-WG] [token-exchange] Parameters to support external token exchange

On Fri, Dec 8, 2017 at 12:41 PM, Brian Campbell wrote: > I guess I'm going to kind of restate some of what I said in that earlier > thread and a bit more. The access and refresh token URIs from the draft are > intended to indicate that such tokens are issued by the given authorization > server act

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-10.txt

I believe the text would detract from the document. From: OAuth on behalf of Brian Campbell Sent: Friday, December 8, 2017 3:47:32 PM To: Denis Cc: oauth Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-10.txt As an individual, I do not believ

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-10.txt

As an individual, I do not believe that the proposed text should be incorporated into the draft. As one of the document editors, my responsibility is for the document to be of reasonable quality and to reflect the rough consensus of this Working Group. So I should ask the list more explicitly - ar

Re: [OAUTH-WG] [token-exchange] Parameters to support external token exchange

I also agree that this additional functionality is out of scope for the Token Exchange specification. -- Mike From: OAuth on behalf of Rifaat Shekh-Yusef Sent: Friday, December 8, 2017 1:31:55 PM To: Brian Campbell Cc: OAuth WG Subject: Re: [OAUTH-WG] [token-ex

Re: [OAUTH-WG] WGLC for OAuth 2.0 Device Flow for Browserless and Input Constrained Devices

Hi, I just got a question on Twitter about the slow_down error: https://tools.ietf.org/html/draft-ietf-oauth-device-flow-07#section-3.5 The question was why slow_down is communicated via HTTP status code 400 and not 429 (Too Many Requests). Thanks, Vladimir On 27/11/17 15:55, Rifaat Shekh-Yu

Re: [OAUTH-WG] [token-exchange] Parameters to support external token exchange

Hi Bill, I agree with Brian that an AS to AS token exchange is beyond the scope of this document. I suggest that you send a separate email to start a discussion on this topic and see if there is interest in the WG to take this topic as a new work. Regards, Rifaat (as co-chair and document shephe

Re: [OAUTH-WG] [token-exchange] Parameters to support external token exchange

I guess I'm going to kind of restate some of what I said in that earlier thread and a bit more. The access and refresh token URIs from the draft are intended to indicate that such tokens