Re: [OAUTH-WG] PAR - Can AS/client require request object?

+1 for require_request_objects AS metadata parameter. The natural place for this parameter for me would be the JAR spec . Vladimir On 12/05/2020 09:27, Torsten Lodderstedt wrote: > Hi all, > > I initially raised the question whether the AS should be able to require > request objects for all cli

Re: [OAUTH-WG] proposed resolution for PKCE in OAuth 2.1

Hi all, I would also like to thank everybody for the substantial discussion. The proposed change for Section 4.1.2.1 works for me (as already stated). I’m not fully comfortable with the proposed change for Section 9.7 for the following reasons: - The text is weaker than Section 4.1.2.1 since

Re: [OAUTH-WG] Usage of Password Grant

On 2020-05-10 10:20 a.m., Aaron Parecki wrote: > Hi Beena, > > This sounds like a great use of the client credentials grant. The > password grant is being removed from OAuth 2.0 by the Security Best > Current Practice. Can you clarify what you've found useful about the > password grant that the cl

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-05-18

Just wanted to note that there is a newer -01 revision of the document on the agenda https://www.ietf.org/id/draft-ietf-oauth-dpop-01.html On Wed, May 13, 2020 at 6:16 AM IESG Secretary wrote: > The Web Authorization Protocol (oauth) Working Group will hold > a virtual interim meeting on 2020-05

[OAUTH-WG] OAuth 2.1 mimetype

Currently OAuth 2 uses application/json as their main mimetype for JSON responses. This has at least two drawbacks: 1. Content-negotiation is a good way to to version/alter behavior of endpoints/introduce extensions or modifications. 2. In systems that use Web Linking, it's harder to use a

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

Sorry for coming late in the game, but I really think that the "sub" claim should be OPTIONAL instead of REQUIRED. We are implementing OAuth 2.0 for the Norwegian health sector, where we have several resources in production already. I don't think the "sub" claim should have different meaning depen

[OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

All, Based on the 3rd WGLC, we believe that we have consensus to move this document forward. https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/ We will be working on the shepherd write-up and then submit the document to the IESG soon. Regards, Rifaat & Hannes __

[OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-05-18

The Web Authorization Protocol (oauth) Working Group will hold a virtual interim meeting on 2020-05-18 from 18:00 to 19:00 Europe/Vienna (16:00 to 17:00 UTC). Agenda: DPOP https://tools.ietf.org/html/draft-ietf-oauth-dpop-00 Information about remote participation: https://ietf.webex.com/ietf/j.p

[OAUTH-WG] Virtual Interim meeting next Monday, May 18th -- DPOP Discussion

Hi all, As discussed at the last virtual interim meeting call we will add another slot next Monday to talk about DPOP. This is a continuation of the DPOP discussion we had during one of our virtual interim meeting slots. Please find the meeting invite in the calendar. Ciao Hannes & Rifaat IMP