Re: [OAUTH-WG] Secdir last call review of draft-ietf-oauth-jwsreq-30

please unsubscribe my email id from your records. On Thu, Mar 18, 2021 at 11:29 PM Mike Jones wrote: > Thanks, Watson. We've published > https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-31 with these changes. > > -- Mike > > -Original Message- > From:

Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)

Thanks Neil. I'll look at incorporating that guidance. Although I think referencing might be more appropriate than incorporating directly. On Mon, Mar 15, 2021 at 3:44 AM Neil Madden wrote: > There is now a draft from the W3C explicitly addressing Spectre and its > impacts on web security. I thi

Re: [OAUTH-WG] Access Token Hash for DPoP

Thanks for this, Justin. Gauging consensus on the two issues discussed again on the call earlier this week has been difficult. Obviously. As I've said, I've gone back and forth in my thinking about both more than a few times. But my sense of the room on Monday was that whatever consensus exists i

Re: [OAUTH-WG] Nonce-based Replay Protection for DPoP

The discussion during the interim wasn't really about replay protection but rather about precomputation and exfiltration. Something like a server contributed nonce can potentially work to address both though so discussing such things gets fuzzy quickly. The approach to reply protection in DPoP is

Re: [OAUTH-WG] Secdir last call review of draft-ietf-oauth-jwsreq-30

Thanks, Watson. We've published https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-31 with these changes. -- Mike -Original Message- From: Watson Ladd Sent: Wednesday, March 17, 2021 6:21 PM To: Mike Jones Cc: nat ; r...@cert.org; sec...@ietf.org; oau

[OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-31.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR) Authors : Nat Saki

Re: [OAUTH-WG] Authorization handover from mobile app to website

I have to admit I can’t read the slides, and the flows aren’t quite self-explanatory. However, just based on the headline I can’t quite figure out how to make a client “in the wild” (= the mobile app) a trusted IdP for a backend. This would basically allow anyone reverse-engineering the app (and

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

On Thu, Mar 18, 2021 at 8:07 AM Neil Madden wrote: > > > On 18 Mar 2021, at 11:33, Rifaat Shekh-Yusef > wrote: > > On Thu, Mar 18, 2021 at 3:45 AM Neil Madden > wrote: > >> >> >> On 18 Mar 2021, at 05:33, Andrii Deinega >> wrote: >> >>  >> The Cache-Control header, even with its strongest dir

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

💯 Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress . On Thu, Mar 18, 2021 at 1:07 PM Neil Madden wrote: > > > On 18 Mar 2021, at 11:33, Rifaat Shekh-Yusef > wrote: > > On Thu, Mar 18, 2021 at 3:45 AM Neil Madden >

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

> On 18 Mar 2021, at 11:33, Rifaat Shekh-Yusef wrote: > > On Thu, Mar 18, 2021 at 3:45 AM Neil Madden > wrote: > > >> On 18 Mar 2021, at 05:33, Andrii Deinega > > wrote: >> >>  >> The Cache-Control header, even with its str

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

On Thu, Mar 18, 2021 at 3:45 AM Neil Madden wrote: > > > On 18 Mar 2021, at 05:33, Andrii Deinega wrote: > >  > The Cache-Control header, even with its strongest directive "no-store", is > pretty naive protection... Below is an excerpt from RFC 7234 (Hypertext > Transfer Protocol: Caching). > >

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

> On 18 Mar 2021, at 05:33, Andrii Deinega wrote: > >  > The Cache-Control header, even with its strongest directive "no-store", is > pretty naive protection... Below is an excerpt from RFC 7234 (Hypertext > Transfer Protocol: Caching). > >> This directive is NOT a reliable or sufficient me