Re: [OAUTH-WG] Upcoming interim meetings

2020-04-08 Thread Roman Danyliw
Hi! Indeed, thanks for this OAuth specific list. As a PSA, the “official page” of upcoming meetings (OAuth, or otherwise) will also have points to the webex, agenda and materials too. See: https://datatracker.ietf.org/meeting/upcoming. Roman From: OAuth On Behalf Of Aaron Parecki Sent: Wedn

[OAUTH-WG] Upcoming interim meetings

2020-04-08 Thread Aaron Parecki
Hi all, I find it particularly difficult to follow the list of upcoming meetings in email threads, and given that there are a whole host of upcoming interim meetings, I thought I would put together an easier way to find the agendas and webex links. You can find the list of upcoming meetings here:

Re: [OAUTH-WG] Direct Grant missing in draft-parecki-oauth-v2-1

2020-04-08 Thread Dick Hardt
Francis We had a long discussion on this topic earlier this year: https://mailarchive.ietf.org/arch/msg/oauth/mG6tkmXSOxwakC0184snKCGxfSE/ On Wed, Apr 8, 2020 at 3:25 PM Francis Pouatcha wrote: > Hello Aaron, > > Deprecating Resource Owner Password Credentials Flow (Direct Grant) > without re

Re: [OAUTH-WG] Dealing with oAuth redirect_uri in draft-parecki-oauth-v2-1 and need for AS back channel initiation endpoint

2020-04-08 Thread Justin Richer
Francis, The backchannel-first pattern that you are discussing is one of the key components of TxAuth, which we are discussing on the txa...@ietf.org mailing list, and I invite you to join the conversation there. I have a project to implement these ideas that’s document

Re: [OAUTH-WG] Dealing with oAuth redirect_uri in draft-parecki-oauth-v2-1 and need for AS back channel initiation endpoint

2020-04-08 Thread Francis Pouatcha
Hello Aaron, > As much as I would love to require that all authorization requests are > initiated via a back channel, that is unfortunately not something that is > in scope of the current OAuth 2.1 document. > > The OAuth 2.0 Security BCP and this document require strict redirect URI > matching, w

Re: [OAUTH-WG] Direct Grant missing in draft-parecki-oauth-v2-1

2020-04-08 Thread Francis Pouatcha
Hello Aaron, Deprecating Resource Owner Password Credentials Flow (Direct Grant) without replacement might make a strict oAuth 2.1 server (with no backward compatibility to oAuth2.0) unusable for a good part of "First Party" applications on the market. These are application environments where the

Re: [OAUTH-WG] Dealing with oAuth redirect_uri in draft-parecki-oauth-v2-1 and need for AS back channel initiation endpoint

2020-04-08 Thread Aaron Parecki
Hi Francis, As much as I would love to require that all authorization requests are initiated via a back channel, that is unfortunately not something that is in scope of the current OAuth 2.1 document. The OAuth 2.0 Security BCP and this document require strict redirect URI matching, which should

Re: [OAUTH-WG] Direct Grant missing in draft-parecki-oauth-v2-1

2020-04-08 Thread Aaron Parecki
Hi Francis, The Resource Owner Password Credentials grant is being deprecated in the OAuth 2.0 Security BCP: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-2.4 > The resource owner password credentials grant MUST NOT be used. As this OAuth 2.1 draft is meant to consolid

[OAUTH-WG] Dealing with oAuth redirect_uri in draft-parecki-oauth-v2-1 and need for AS back channel initiation endpoint

2020-04-08 Thread Francis Pouatcha
There is a lot of effort associated with the handling and correct validation of a redirect_uri sent to the AS as part of the front channel authorization request, as this gets transported by user agents. The draft-parecki-oauth-v2-1 as a replacement of RFC 6749 must make sure redirect_uri is only s

[OAUTH-WG] Direct Grant missing in draft-parecki-oauth-v2-1

2020-04-08 Thread Francis Pouatcha
As a replacement of RFC 6749 I am missing a "Direct Grant" with the same simplicity as the "Resource Owner Password Credentials" grant of RFC 6749. The reason is that browser redirects are too complex and most of the time badly implemented by small teams. For the sake of having SMEs use oAuth 2.1

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-06

2020-04-08 Thread Rifaat Shekh-Yusef
You can find the minutes of the meeting on the link below: https://datatracker.ietf.org/meeting/interim-2020-oauth-03/materials/minutes-interim-2020-oauth-03-202004061800 Thanks to *Jared Jennings* for taking these notes. Regards, Rifaat On Sun, Apr 5, 2020 at 5:47 PM Rifaat Shekh-Yusef wrot