Re: [OAUTH-WG] PAR and client metadata

I was hoping to get to a rough consensus in support of the idea before coming up with a name that everyone will hate :) In the meantime, however, name suggestions are of course welcome. On Tue, Apr 14, 2020 at 2:22 PM Vladimir Dzhuvinov wrote: > I'm all for that. > > I suppose you have already

Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns

Hi Filip, My attempts at responses to your questions/comments are inline: On Tue, Apr 14, 2020 at 2:14 AM Filip Skokan wrote: > I've wondered about the decision to use a new scheme before > > but > this time i'd like t

Re: [OAUTH-WG] PAR and client metadata

I'm all for that. I suppose you have already thought of a suitable name? :) Vladimir On 14/04/2020 23:08, Brian Campbell wrote: > Using PAR can facilitate improved security by giving clients a > (relatively) simple means for sending a confidential, integrity > protected, and (for confidential cl

[OAUTH-WG] PAR and client metadata

Using PAR can facilitate improved security by giving clients a (relatively) simple means for sending a confidential, integrity protected, and (for confidential clients anyway) authenticated authorization request. It seems like some of that improved security could be undermined by a malicious actor

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

Thanks George, you described exactly what I was thinking. I agree with your conclusions throughout the thread. Now that we have JTI mandatory, preventing tracking intra-API could be achieved only by issuing a new token for every transaction regardless of the presence of a sub, and a sub whose va

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

Hi Denis, If the same token is used (within a session) for multiple API calls then all those API calls can be correlated together even if the token does not have a 'sub' claim because the token itself is the correlating identifier (same is true for the session identifier). In regards to the

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

George, I disagree with you: The 'sub' claim must be unique (local to the issuer or globally) with every issued token. In addition, inter-API correlation prevention does not necessarily require a unique token for every API call, since in many cases a session can be opened and one JWT can

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

On 4/14/20 10:23 AM, Denis wrote: Unfortunately, this is not possible since RFC 7519 (4.1.2) states:     The subject value MUST either be scoped to be *locally unique in the context of the issuer or be globally unique*. Regarding this phrase from RFC 7519, I don't agree that it prevents t

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

Vittorio, one comment in line. It’s certainly possible to conceive ATs without subs, but I think the profile would be way less useful for SDK developers. On the objections: The sub doesn’t have to be a user, if you look at the earlier discussions the case in which the token has been issued for

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

Vittorio, some comments in line: > An SDK is going to support "sub" wether it is required or optional. When I think about support for sub in this case, I am not thinking about just parsing the sub value if it’s present or not surfacing it in an object model if it’s not- i think about reliably o

[OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns

I've wondered about the decision to use a new scheme before but this time i'd like to challenge the immediate usability of the future spec for one specific case - sender constraining public client Refresh Tokens. If at all

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

> An SDK is going to support "sub" wether it is required or optional. When I think about support for sub in this case, I am not thinking about just parsing the sub value if it’s present or not surfacing it in an object model if it’s not- i think about reliably offering the higher level jobs to be d