Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-10: (with DISCUSS and COMMENT)

Hi Vladimir, Thank you for the link to the proposed updates, and my apologies for having taken so long to get back to you -- my inbox is in a bit of disarray at the moment, and I have been (over)relying on the datatracker to tell me what I need to be doing. One note from the diff that struck me a

[OAUTH-WG] Milestones changed for oauth WG

Changed milestone "Submit 'OAuth 2.0 Authorization Server Discovery Metadata' to the IESG", added draft-ietf-oauth-discovery to milestone. URL: https://datatracker.ietf.org/wg/oauth/about/ ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailm

[OAUTH-WG] Milestones changed for oauth WG

Changed milestone "Submit 'Authentication Method Reference Values' to the IESG", added draft-ietf-oauth-amr-values to milestone. URL: https://datatracker.ietf.org/wg/oauth/about/ ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinf

[OAUTH-WG] Milestones changed for oauth WG

Changed milestone "Submit 'Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)' to the IESG", added draft-ietf-oauth-proof-of-possession to milestone. Changed milestone "Submit 'Request by JWS ver.1.0 for OAuth 2.0' to the IESG for consideration as a Proposed Standard", removed draft-ietf

[OAUTH-WG] Milestones changed for oauth WG

Changed milestone "Submit 'Request by JWS ver.1.0 for OAuth 2.0' to the IESG for consideration as a Proposed Standard", added draft-ietf-oauth-proof-of-possession to milestone. Changed milestone "Submit 'OAuth 2.0 for Native Apps' to the IESG", added draft-ietf-oauth-native-apps to milestone. Cha

[OAUTH-WG] Milestones changed for oauth WG

Deleted milestone "Submit 'OAuth 2.0 Mix-Up Mitigation'to the IESG". Deleted milestone "Submit 'OAuth 2.0 Security: Closing Open Redirectors in OAuth' to the IESG". Deleted milestone "Submit 'OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution' to the IESG". Deleted mi

Re: [OAUTH-WG] One-time token login

Thanks Neil & Hans, Our AS doesn't do jwt quite yet. It's in-house, but open source. We don't have rfc7523 yet, but this does sounds like a pretty great longer-term solution. We're a bit time constrained, so perhaps this feature just needs to be done as a one-off before we can do RFC7523 for r

Re: [OAUTH-WG] One-time token login

One option is JWT Bearer grant with “jti” and replay prevention (https://tools.ietf.org/html/rfc7523#page-7 ) if your AS supports it. This is nice if some other component is generating the emails as it needs no coordination with the AS. — Neil > On 2 Mar 2021, at 19:04, Evert Pot wrote: > >

Re: [OAUTH-WG] One-time token login

IMHO this use case is about proving the ownership of an e-mail address to authenticate the user to obtain an access token. The authorization code is not really suitable because it is supposed to be short lived and (more or less by induction) supposed to be associated with an account at the AS. I'd

Re: [OAUTH-WG] One-time token login

I agree that it seems strange to use the authorization code in such a manner, though I can see how it could work on a technical basis. While it’s not an exact match, you might want to look at the Device Grant: https://tools.ietf.org/html/rfc8628 Here you i

[OAUTH-WG] One-time token login

Dear list, We have a requirement to let users log in to an application via a code sent by email. This code needs to be exchanged for an access/refresh token pair, and should only work once. The access/refresh token scope would give limited access to the application. Since we already use the