> On Jul 8, 2019, at 8:39 PM, Aaron Parecki wrote:
>
> These are all very good points! I think the challenge here is figuring out
> where this kind of guidance is most appropriate.
>
> It does seem like some of these issues are unique to a browser environment
> (particularly where the browse
These are all very good points! I think the challenge here is figuring out
where this kind of guidance is most appropriate.
It does seem like some of these issues are unique to a browser environment
(particularly where the browser itself is managing the access and refresh
tokens), so maybe it make
> On Jul 8, 2019, at 7:10 PM, Leo Tohill wrote:
> Re 8. Refresh Tokens
>
>"For public clients, the risk of a leaked refresh token is much
>greater than leaked access tokens, since an attacker can potentially
>continue using the stolen refresh token to obtain new access without
>b
Ok, I'm creating a new posting for this feedback. :)
Here's where I probably just need some enlightenment, so please help me
out.
Re 8. Refresh Tokens
"For public clients, the risk of a leaked refresh token is much
greater than leaked access tokens, since an attacker can potentially
con
I see now that my arguments for softening the 6.1 language are backed and
expanded on by the last paragraph of section 5, starting with " By
redirecting to the authorization server,..."
On Mon, Jul 8, 2019 at 8:44 PM Leo Tohill wrote:
> regarding 6.1. Apps Served from a Common Domain as the Re
(should I start a new thread instead of making multiple replies to this
message?)
Re: Sec
Typo/grammar in:
"First- party apps are applications where by the same organization that
provides the API being accessed by the application."
Suggested rewrite:
"First- party apps are applications where the
regarding 6.1. Apps Served from a Common Domain as the Resource Server
Isn't this recommendation neglecting some benefits or use cases of Oauth?
* An application that doesn't collect user credentials is an app that
doesn't need to be audited for problems such as password leakage into log
files.
Hi all,
I've just uploaded a new version of oauth-browser-based-apps in preparation
for the meeting in Montreal.
https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-02
This draft incorporates much of the feedback I've received over the last
couple months, as well as what we discussed
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : OAuth 2.0 for Browser-Based Apps
Authors : Aaron Parecki
David Waite
All,
I have updated this short draft with the use case that motivated this
document.
Please, take a look and let me know if you have any comments.
Regards,
Rifaat
-- Forwarded message -
From:
Date: Mon, Jul 8, 2019 at 2:16 PM
Subject: New Version Notification for draft-yusef-o
I've updated my OP projects draft implementation to 02 as well as the
example browser based client using DPoP for those interested
RP: https://murmuring-journey-60982.herokuapp.com
OP: https://op.panva.cz/.well-known/openid-configuration
As I've mentioned in the github issue tracker i think a ser
All,
In preparation for the meeting in Montreal, I just uploaded a new version
of the DPoP draft:
https://tools.ietf.org/html/draft-fett-oauth-dpop-02
Please have a look and let me know what you think. We should make this a
working group item soon.
As you might have noticed, there is also a new
Alissa Cooper has entered the following ballot position for
draft-ietf-oauth-token-exchange-18: No Objection
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refe
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : OAuth 2.0 Security Best Current Practice
Authors : Torsten Lodderstedt
J
Does it appear strange that Microsoft have called their token exchange flow
implementation
(https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow)
On-Behalf-Of flow? I was under the impression that delegation was the core use
case for oauth development i.e.
15 matches
Mail list logo
