Re: [OAUTH-WG] Review of oauth-mtls-07

Thanks for the responses. I’ve cut out places where we seem to agree here and responded to the rest inline below. > > > §2.1¶1: It would be helpful to have a pointer on methods of comparing DNs. In > our implementation we serialize them to strings using a canonical format > (RFC2253) and do

Re: [OAUTH-WG] What Does Logout Mean?

On Wed, Mar 28, 2018 at 4:09 PM, Richard Backman, Annabelle < richa...@amazon.com> wrote: > That makes somewhat more sense to me if we’re talking about applications > with sticky sessions. Adding a session-specific logout URI introduces > security concerns (e.g. how does the OP validate the URI) a

Re: [OAUTH-WG] What Does Logout Mean?

That makes somewhat more sense to me if we’re talking about applications with sticky sessions. Adding a session-specific logout URI introduces security concerns (e.g. how does the OP validate the URI) and only works if the RP can provide URIs that target individual hosts in their fleet. The “is

Re: [OAUTH-WG] What Does Logout Mean?

On Wed, Mar 28, 2018 at 1:40 PM, Richard Backman, Annabelle < richa...@amazon.com> wrote: > I'm reminded of this session from IIW 21 > . ☺ > I look forward to reading the document distilling the various competing use > cases and

Re: [OAUTH-WG] What Does Logout Mean?

> On Mar 28, 2018, at 11:40 AM, Richard Backman, Annabelle > wrote: > > I'm reminded of this session from IIW 21 > . ☺ I > look forward to reading the document distilling the various competing use > cases and requirements

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

I like this draft, but I want to clarify if it is intended that the response JWT could be interpreted as an OpenID Connect ID Token? As the set of claims can overlap (in particular, all required ID token claims are valid token introspection response fields) and it seems highly likely that an AS

Re: [OAUTH-WG] What Does Logout Mean?

The biggest problem for us [1] is backchannel logout and we had to add a lot of proprietary protocols on top of OIDC's backchannel logout protocol. Specifically for "traditional" non-Javascript applications that have multiple endpoints behind a load balancer. You are really at the mercy of the a

[OAUTH-WG] What Does Logout Mean?

Digital identity systems almost universally support end-users logging into applications and many also support logging out of them. But while login is reasonable well understood, there are many different kinds of semantics for "logout" in different use cases and a wide variety of mechanisms for