Yes, I understand. I just wanted to clarify how I came up with ssying POST
is an option.
Regards,
Sascha
On Tue., May 25, 2021, 22:17 A. Rothman, wrote:
> Oh, I see what you mean... however as Justin clarified, the discussion
> here is not about GET vs POST, but rather about user agent vs clien
Oh, I see what you mean... however as Justin clarified, the discussion
here is not about GET vs POST, but rather about user agent vs client
making the request. The former distinction doesn't really matter in this
case, whereas in the latter distinction the client option seems to be
breaking the
Amichai,
I know POST won't be seen often, but the /authorize endpoint may still
accept POST as described here:
https://tools.ietf.org/html/rfc6749#section-3.1
I hope this helps,
Sascha
On Tue., May 25, 2021, 13:00 A. Rothman, wrote:
> Hi Sacha,
>
> Thanks for the links and video!
>
> However
Honestly it didn't even occur to me that someone would try this, since the
entire point of the authorization endpoint is that it's the thing the
user's browser talks to. Adding MTLS just means you're going to have to
send the user to some other endpoint instead, which is then effectively
acting as
I'm actually wondering if we should add discussion about not putting mtls on
the authorisation endpoint into OAuth 2.1. Aaron et al, thoughts?
-Justin
From: A. Rothman [amich...@amichais.net]
Sent: Tuesday, May 25, 2021 7:03 PM
To: Justin Richer
Cc: Sasch
Justin,
Thanks for this analysis. It pretty much sums up my own thoughts about
this better than I could have :-)
I just hope I wasn't 'leading the witness' too much... I'll have to
double-check the details to make sure I didn't miss anything, but as I
understand it, that's more or less it.
It’s different, and I think in this specific case it’s more likely to be less
secure because of a lot of other red flags that I’m seeing around this
description.
One, requiring MTLS on all endpoints without thinking through what that
actually means for developers. This is going to force develop
The IESG has received a request from the Web Authorization Protocol WG
(oauth) to consider the following document: - 'OAuth 2.0 Pushed Authorization
Requests'
as Proposed Standard
The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send
Hi Brian!
Thanks for the clarifications below and the -08. I’ve pushed the document to
IETF Last Call.
Regards,
Roman
From: Brian Campbell
Sent: Friday, May 14, 2021 6:05 PM
To: Roman Danyliw
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] AD Review of draft-ietf-oauth-par-07
I went ahead and pu
Justin,
Thanks for the clear answer. The distinction you make is indeed exactly
the point I was asking about.
So I got the first answer, which is that it is not compliant.
Now the follow-up question is whether it is known to be any more or less
secure than the normal flow, or simply unknown
Hi Sacha,
Thanks for the links and video!
However I don't think this is what they're doing. There's no par
endpoint, no JSON response (just a redirect with a Location header, that
instead of following, the client is supposed to pass through to the user
agent), etc. It seems more like a regula
One point, the client doesn’t POST to the authorization endpoint, the resource
owner’s browser is supposed to POST to the authorization endpoint — it’s an
important distinction. And in the wild, this is really rare to see in use.
As written, this is not compliant with OAuth2. I agree that this s
On 5/25/21 6:25 PM, Torsten Lodderstedt wrote:
Hi,
Am 25.05.2021 um 16:59 schrieb A. Rothman :
Hi,
In RFC 6749 section 4.1, the Authorization Code Grant flow starts with:
(A) The client initiates the flow by directing the resource owner's
user-agent to the authorization endpoint.
Hello Amichai!
There could be several reasons why you see that behaviour in your web
browser. For example:
- This RFC suggests sending a request to the authorization server, get a
session specific URL back which can be forwarded to the authorization
server via the browser. This is OAuth PAR (Push
Hi,
> Am 25.05.2021 um 16:59 schrieb A. Rothman :
>
> Hi,
>
> In RFC 6749 section 4.1, the Authorization Code Grant flow starts with:
>
> (A) The client initiates the flow by directing the resource owner's
> user-agent to the authorization endpoint. The client includes
> its c
Hi,
In RFC 6749 section 4.1, the Authorization Code Grant flow starts with:
(A) The client initiates the flow by directing the resource owner's
user-agent to the authorization endpoint. The client includes
its client identifier, requested scope, local state, and a
redir
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : JSON Web Token (JWT) Profile for OAuth 2.0 Access
Tokens
Author : Vittorio Bertocci
File
17 matches
Mail list logo
