Re: [OAUTH-WG] OAuth WG Virtual Meeting During IETF 107?

On Fri, Mar 13, 2020 at 10:37:50AM -0700, William Denniss wrote: > Now that the IETF 107 virtual meeting agenda was posted > , > and only includes BOFs and new WGs, should we schedule our own virtual > meeting for the

Re: [OAUTH-WG] OAuth WG Virtual Meeting During IETF 107?

We are actually considering scheduling a *series of interim meetings *and discuss one or two subject in each one of these meetings to give each topic the time it deserves, similar to the last interim meeting we did around the PoP topic. This will allow us to choose the right time for most people, a

Re: [OAUTH-WG] First Draft of OAuth 2.1

We have had several customers express interest in sliding expiration (idle timeouts) of refresh tokens and push back against rotation, particularly for mobile apps where they worry that the false positive rate with rotation can be too high to be practical due to flaky network connections. Neil

Re: [OAUTH-WG] First Draft of OAuth 2.1

> On 12. Mar 2020, at 23:14, Vittorio Bertocci wrote: > > Rotation can be used to detect leakage, right? Client credentials offer more > guarantees, but unless you are using private JWTs with a non exportable > certificate as client cred, a classic client secret _could_ technically leak. > H

Re: [OAUTH-WG] First Draft of OAuth 2.1

> On 12. Mar 2020, at 23:08, Pedro Igor Silva wrote: > > I don't but people using our AS. As I mentioned, rotation for such clients > does not make sense but we had to deal with it. > > I just wanted to bring an example of how rotation can't be added without a > significant impact on develop

Re: [OAUTH-WG] First Draft of OAuth 2.1

Off the top of my head, rotation is useful for 2 things * reducing the likelihood that an “old” refresh token is still valid (e.g. “found” on some device, log file, source code etc...) * being able to revoke all the active refresh tokens if a refresh token is used twice ...and yes it introduces a