Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

+1 Lars Wilhelmsen Thales -Original Message- From: OAuth On Behalf Of Neil Madden Sent: tirsdag 9. april 2019 10:43 To: Hannes Tschofenig Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens I support adoption of this draft. — Neil > On 8 Ap

Re: [OAUTH-WG] draft-fett-oauth-dpop-00

My understanding: The proof-of-possession needs to have a limited destination to prevent replay against other resources. Similar to resource indicators and to distributed OAuth, the client is expected to use a resource URL view of the world rather than an access-token-specific audience or scope

Re: [OAUTH-WG] draft-fett-oauth-dpop-00

Then why include the request at all? Simpler to just sign a nonce and send those, then. — Justin On Apr 9, 2019, at 7:05 PM, Brian Campbell mailto:bcampb...@pingidentity.com>> wrote: The thought/intent is that it's really about proof-of-possession rather than protecting the request. So the si

Re: [OAUTH-WG] MTLS and SAN

Thanks Justin. On Mon, Apr 8, 2019 at 5:49 PM Justin Richer wrote: > Thanks for the clarifications everyone. Since I didn’t catch the > one-and-only-one sentiment when reading the updates, I would recommend > altering the text as follows in §2.1: > >The PKI (public key infrastructure) method

Re: [OAUTH-WG] draft-fett-oauth-dpop-00

The thought/intent is that it's really about proof-of-possession rather than protecting the request. So the signature is over a minimal set of information. On Mon, Apr 8, 2019 at 5:41 PM Justin Richer wrote: > Corollary to this, are there thoughts of header protection under this > method, and th

[OAUTH-WG] [Technical Errata Reported] RFC7636 (5687)

The following errata report has been submitted for RFC7636, "Proof Key for Code Exchange by OAuth Public Clients". -- You may review the report below and at: http://www.rfc-editor.org/errata/eid5687 -- Type: Technical Reporte

Re: [OAUTH-WG] CORS and the Device Authorization Grant (device flow)

I have not seen this as a requirement, but the devices that I’ve worked on were not implemented or constrained in the same way that yours were. This seems like it is a detail of that environment. That said, the device grant spec doesn’t preclude the use of CORS on the device endpoint by being si

Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

I support adoption of this draft. — Neil > On 8 Apr 2019, at 18:07, Hannes Tschofenig wrote: > > Hi all, > > this is the call for adoption of the 'JWT Usage in OAuth2 Access Tokens' > document following the positive feedback at the last IETF meeting in Prague. > > Here is the document: > ht

Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

+1 On Tue, Apr 9, 2019 at 5:45 AM Dominick Baier wrote: > +1 > > ——— > Dominick > > On 8. April 2019 at 20:21:21, William Denniss ( > wdenniss=40google@dmarc.ietf.org) wrote: > > I support adoption of this draft as a working group document. > > On Mon, Apr 8, 2019 at 11:11 AM George Fletcher