Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Just a quick data point - The Microsoft .NET JWT implementation checks for exp and nbf. Not iat. I guess my real question is - what’s the difference between the two practically speaking - and shouldn’t be the more common (aka supported by most libraries) be used? ——— Dominick Baier On 20. April

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-21.txt

Nat, John, thanks for updating the JAR spec. I just reviewed it, in particular the authz request and the security considerations sections. Choosing to make client_id (as top-level parameter) mandatory for all cases, even for those when it can be readily extracted from the JWT, makes the job of impl

Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

There are a number of ambiguities and statements around using JWTs in various contexts: 1. Some implementations interpret “iat" to also have the meaning of “nbf” in the absence of “nbf”, although this is AFAIK not prescribed by any spec 2. The DPoP draft’s client-generated tokens have the resour

[OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-21.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR) Authors : Nat Saki

Re: [OAUTH-WG] Webex meeting changed: OAuth WG Virtual Interim Meeting - April 20th

All, You can find this meeting material at the following link: https://datatracker.ietf.org/meeting/interim-2020-oauth-05/session/oauth Regards, Rifaat & Hannes On Sun, Apr 19, 2020 at 8:36 AM Rifaat Shekh-Yusef wrote: > > > -- Forwarded message - > From: Web Authorization Pr

[OAUTH-WG] Fwd: Webex meeting changed: OAuth WG Virtual Interim Meeting - April 20th

-- Forwarded message - From: Web Authorization Protocol Working Group Date: Sun, Apr 19, 2020 at 8:25 AM Subject: Webex meeting changed: OAuth WG Virtual Interim Meeting - April 20th To: You changed the Webex meeting information. When it's time, start your Webex meeting here

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-20 CHANGED

All, We had an issue with the time allocated for this meeting on the Webex tool, so we fixed that. As with previous two interim meetings, this one will too be at the same time, *12:00pm EST*. Regards, Rifaat & Hannes On Sun, Apr 19, 2020 at 8:31 AM IESG Secretary wrote: > MEETING DETAILS HAV

[OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-20 CHANGED

MEETING DETAILS HAVE CHANGED. SEE LATEST DETAILS BELOW. The Web Authorization Protocol (oauth) Working Group will hold a virtual interim meeting on 2020-04-20 from 12:00 to 13:00 America/Toronto (16:00 to 17:00 UTC). Agenda: 1. Pushed Authorization Requests https://datatracker.ietf.org/doc/draf

Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

On 16/04/2020 10:10, Dominick Baier wrote: > *iat vs nbf* > What’s the rationale for using iat instead of nbf. Aren’t most JWT > libraries (including e.g. the .NET one) looking for nbf by default? Developers often tend to intuitively pick up "iat" over "nbf" because it sounds more meaningful (my p

Re: [OAUTH-WG] PAR and client metadata

In a off-list conversation Torsten floated the idea of letting confidential PAR-only clients register without a redirect_uris and having this "PAR only" parameter will enable that. A "PAR only" parameter will also prevent client developers from accidentally making plain authz requests (for clients