Re: [OAUTH-WG] DPoP - IPR Disclosure

I am not aware of any IPR relating to this document. -Daniel Am 10. August 2022 23:37:20 MESZ schrieb Rifaat Shekh-Yusef : >Daniel, Brian, John, Torsten, Mike, and David, > >As part of the shepherd write-up for the *DPoP* document, there is a need >for an IPR disclosure from the authors. >htt

Re: [OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients

Hi Mikheil, 1. Well explained by Brain. I will just add my perspective. > >From the practical perspective, if the confidential client got a refresh > token for the offline access and sufficient time (e.g., for a month), this > would be quite impractical and not very user-friendly to ask a lot of u

Re: [OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients

Hi Brian, Thanks for the prompt response. We will work with our vendors to get this done according to the RFC. Best Regards, Mikheil Kapanadze From: Brian Campbell Sent: ხუთშაბათი, 11 აგვისტო, 2022 21:04 To: mikh...@association.ge Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Certificate-bound r

Re: [OAUTH-WG] DPoP - Impementations

Hello Rifaat, We are very pleased with DPoP and hope to see more people using it in future. DPoP in the OSS Nimbus OAuth 2.0 / OIDC Java SDK: https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/examples/oauth/dpop In the c2id server: https://connect2id.com/products/server/docs/d

Re: [OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients

Hi Mikheil, Your assumption is the correct reading of the RFC. Or the intent of the RFC anyway. For confidential clients, refresh tokens are bound to the client id (not the certificate thumbprint or anything else for that matter). RFCs can't be changed after publication so adding more clarificati

[OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients

Hi, I have noticed is that some OAuth2 AS implementations use certificate thumbprints to bind not only access tokens but also refresh tokens to client certificates. This happens for both public and confidential clients. As a result, when the certificate is replaced (e.g., it is about to expire soo

Re: [OAUTH-WG] DPoP - Impementations

there's DPoP support in liboauth2: https://github.com/zmartzone/liboauth2/blob/v1.4.5/src/dpop.c#L331-L441 albeit it not updated to the latest draft yet liboauth2 is used in OAuth 2.0 Resource Server modules for Apache/NGINX (mod_oauth2/ngx_oauth2_module) Hans. On Wed, Aug 10, 2022 at 11:39 PM Ri

Re: [OAUTH-WG] DPoP - Impementations

Hi Riifat, In italy DPoP was adopted in the Attribute Authority Infrastructure, below a quick overview with few details https://docs.google.com/document/d/11KQPEs7sln7DbxLN7r7q3j2PymBSrYNlx5o-W3xHQsw/ the italian d

Re: [OAUTH-WG] DPoP - Impementations

Hi Rifaat The OpenID Foundation FAPI2 certification tools have implementations of / tests for (most of) DPoP as both an AS/RS & client. Authlete has implemented DPoP as an AS / RS. Thanks Joseph > On 10 Aug 2022, at 22:39, Rifaat Shekh-Yusef wrote: > > All, > > As part of the shepherd writ

Re: [OAUTH-WG] DPoP - IPR Disclosure

I also am unaware of any IPR. best regards, Torsten. > Am 11.08.2022 um 05:54 schrieb David Waite > : > > I also am unaware of any IPR. > > -DW > >> On Aug 10, 2022, at 3:37 PM, Rifaat Shekh-Yusef >> wrote: >> >> Daniel, Brian, John, Torsten, Mike, and David, >> >> As part of the shepher