[OAUTH-WG] Re: Notes from Transaction Tokens call

Hi all, Please note that we will be discussing these topics in the interim meeting on Dec 16th, so it will help to review the notes in these GitHub issues to get up to speed on the discussion so far. Thanks, Atul On Fri, Nov 22, 2024 at 10:44 AM Atul Tulshibagwale wrote: > Hi all, > We w

[OAUTH-WG] Notes from Transaction Tokens call

<https://github.com/oauth-wg/oauth-transaction-tokens/issues/119#issuecomment-2494145037> - Batch processing and TraTs <https://github.com/oauth-wg/oauth-transaction-tokens/issues/111#issuecomment-2494299546> Atul -- Atul Tulshibagwale CTO <https://www.linkedin.com/in/t

[OAUTH-WG] Review requested for a draft in saag

to review. You can post your review feedback to the saag mailing list. Thanks, Atul -- Atul Tulshibagwale CTO <https://www.linkedin.com/in/tulshi/> <https://x.com/zirotrust> ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org

[OAUTH-WG] Fwd: [oauth-wg/oauth-transaction-tokens] Batch or long running processes and extending lifetime of a token (Issue #111)

Subject: Re: [oauth-wg/oauth-transaction-tokens] Batch or long running processes and extending lifetime of a token (Issue #111) To: oauth-wg/oauth-transaction-tokens < oauth-transaction-tok...@noreply.github.com> Cc: Atul Tulshibagwale , Comment @gffletch <https://github.com/gffletch>

[OAUTH-WG] Re: OAuth 2.0 Protected Resource Metadata - Implementations

If it makes sense, we could add an "Implementation Status" section, like it is proposed in this RFC: https://www.rfc-editor.org/rfc/rfc7942.html On Wed, Jul 10, 2024 at 10:43 AM Michael Jones wrote: > OpenID Federation implementations use the Protected Resource Metadata > definitions in this spe

[OAUTH-WG] Re: OAuth WG @ IETF120 - Draft Agenda

Thanks Rifaat, looks like a packed agenda! On Tue, Jul 9, 2024 at 10:30 AM Rifaat Shekh-Yusef wrote: > All, > > Here is our draft agenda for our 3 OAuth sessions at IETF120: > https://datatracker.ietf.org/doc/agenda-120-oauth/ > > Please, take a look and let us know what you think. > > Regards,

[OAUTH-WG] Transaction tokens discussion at IETF 120

3AIETF120-discuss> during IETF 120. We would like to request the chairs for time during the IETF 120 meeting to discuss the new draft and the open issues. Thanks, Atul Tulshibagwale, George Fletcher, and Pieter Kasselman ___ OAuth mailing list -- oauth

Re: [OAUTH-WG] Transaction Tokens issuance in the absence of incoming token

ould >> give us more flexibility as will let us define our own set of input >> parameters and validation rules (opposite to Token Exchange that restricts >> us to subject_token and friends). >> >> >> >> Regards, >> >> Dmitry >> >> &g

Re: [OAUTH-WG] Transaction Tokens issuance in the absence of incoming token

little background, but I have a few comments and questions below. > > On Fri, Mar 29, 2024 at 10:39 AM Atul Tulshibagwale wrote: > >> Hi all, >> We had a meeting today (notes here >> <https://hackmd.io/@rpc-sec-wg/HJNXYKkk0>) in which we discussed the >>

Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata

o, should be "expected to retrieve". The language can also be more normative: "...The client SHOULD retrieve..." 8. Section 5.3: Do we need this section? The spec doesn't use "Client Identifier" anywhere, so the section may not be needed in this spec.

[OAUTH-WG] Transaction Tokens issuance in the absence of incoming token

hts on this topic. Thanks, Atul -- <https://sgnl.ai> Atul Tulshibagwale CTO <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust> ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata

Hi all, I'd committed to reviewing the draft at IETF 119, so here is my feedback up to section 3.1: 1. Section 1: The sentence "Each protected resource publishing metadata about itself makes its own metadata document available at a well-known location rooted at the protect resource's URL,

Re: [OAUTH-WG] Transaction tokens draft-ietf-oauth-transaction-tokens-01 - my comments

Hi Yaron, Thank you so much for this feedback. I've created issues for many of the items in your email, and a PR for the minor text fixes you identified. Atul On Sun, Mar

Re: [OAUTH-WG] Call for adoption - Transaction Tokens

Hi Dmitry, Even if it doesn't count (and I too am not familiar with the voting rules), you can still record your vote by sending an email to this list. The issue tracker is here for now: https://github.com/SGNL-ai/transaction-tokens/issues Atul On Wed, Nov 15, 2023 at 2:10 PM Dmitry Telegin wro

Re: [OAUTH-WG] [External Sender] Call for adoption - Identity Chaining

I support the adoption On Tue, Nov 14, 2023 at 6:49 AM George Fletcher wrote: > I'm supportive of adoption > > On Tue, Nov 14, 2023 at 7:59 AM Rifaat Shekh-Yusef < > rifaat.s.i...@gmail.com> wrote: > >> All, >> >> This is an *official* call for adoption for the *Identity Chaining * >> draft: >>

Re: [OAUTH-WG] [External Sender] Call for adoption - Transaction Tokens

I support the adoption too On Tue, Nov 14, 2023 at 8:07 AM Kristina Yasuda wrote: > I support adoption too. > > > > *From:* OAuth *On Behalf Of *George Fletcher > *Sent:* Tuesday, November 14, 2023 6:48 AM > *To:* rifaat.s.ietf > *Cc:* oauth > *Subject:* Re: [OAUTH-WG] [External Sender] Call

Re: [OAUTH-WG] sub_id in draft for Transaction tokens

Hi Kai, Thanks for this and other feedback you have provided. The primary reason for using "sub_id" was to enable a format that can be more expressive than the "sub", which is always a string. I can see the benefit of having either "sub" or "sub_id" in the Transaction Tokens spec. "sub" will allo

[OAUTH-WG] Updated Transaction Tokens draft

Hi all, Here is the updated Transaction Tokens draft, which is on the agenda for Prague. In the new draft, we have incorporated the feedback received in IETF 117, as well as removed the "Nested Transaction Tokens" part. Salient points are: 1. Transaction Tokens now have separate claims for:

Re: [OAUTH-WG] [External Sender] Re: Questions on OAuth Protected Resource Metadata

BTW I'm trying to conjure a scenario where there is a system level request from the app that results in the consent being asked by Apple, and not directly by the app acting as an OAuth client. On Wed, Sep 27, 2023 at 12:18 PM Atul Tulshibagwale wrote: > The scenario I am concerned about

Re: [OAUTH-WG] [External Sender] Re: Questions on OAuth Protected Resource Metadata

s. The >>> client software knows the API, but at the OAuth layer, the client just >>> needs to know what values to put into the OAuth flow to be able to call the >>> RS and have it work. That value could very well be an opaque string, which >>> is supported by

Re: [OAUTH-WG] Questions on OAuth Protected Resource Metadata

Hi, #1 is clear now. Thanks Warren On #2, thanks Neil and Warren for your clarifications. Does it make sense to include language that warns against requesting unknown scopes in the OPRM draft? Atul On Thu, Sep 21, 2023 at 11:17 AM Neil Madden wrote: > On 21 Sep 2023, at 17:19, A

[OAUTH-WG] Questions on OAuth Protected Resource Metadata

Hi all, I'm still looking for answers to these two questions regarding the OPRM draft that was recently adopted by the WG: 1. If I have a resource server that has multiple endpoints, each of which require different sc

[OAUTH-WG] Transaction Tokens updated draft

pdated draft: https://www.ietf.org/archive/id/draft-tulshibagwale-oauth-transaction-tokens-03.html Please review and share your feedback here. Thanks, Atul -- <https://sgnl.ai> Atul Tulshibagwale CTO <https://linkedin.com/in/tulshi> <https://

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I too have these open questions: https://mailarchive.ietf.org/arch/msg/oauth/NLj-xnAZ4BtFs9z62OzCro4xxoc/ But I hope they are answered as the draft progresses in the WG. On Wed, Sep 6, 2023 at 7:08 AM Brian Campbell wrote: > I did have a few unanswered comments/questions on the draft > https://m

Re: [OAUTH-WG] [External Sender] Re: Call for adoption - Protected Resource Metadata

tic RS documentation could be used to > describe which scopes are needed for which endpoints. However, as we move > authorization to be more fine-grained I'm wondering if "scopes" is really > the right mechanism :) > > Thanks, > George > > On Thu, Aug 31, 2023 a

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

Hi all, I have a couple of questions about the OPRM draft. 1. If I have a resource server that has multiple endpoints, each of which require different scopes, how should those be handled? For example, in the SSF spec, the SSF Transmitter has a Create Stream endpoint and a Polling endp

Re: [OAUTH-WG] IETF117 - OAuth WG call for topics

Hi Rifaat, I'd like some time to discuss the "Transaction Tokens" draft. The Internet Draft submission is here , and the HTML version can be viewed here . Thanks, Atul O

Re: [OAUTH-WG] Fw: New Version Notification for draft-burgin-jenkins-identity-chaining-00.txt

+Dr. Kelley W Burgin Hi, Kelley would like to respond, so I'm copying him here (he only has the digest of the day) On Wed, Nov 9, 2022 at 11:08 AM Warren Parad wrote: > I think it would be confusing for implementers to have to figure out the > difference between this implementation and > https:

[OAUTH-WG] Subject identifiers in FTA

Hello, I've spoken to Pieter about this at IETF 115, but this draft (which is likely to get approved) of subject identifiers could be considered for the FTA work. This is to enable multiple trust domains to talk about subjects of tokens in a consistent way. This is already used in the OpenID SSE

[OAUTH-WG] Fine-grained Transactional Authorization (formerly RPC authorization)

r the "work stream" or "working group". We would love to get comments and feedback about this charter, and participation in the discussions which we are proposing to have at IETF 115. Thanks, Atul -- Atul Tulshibagwale CTO, SGNL <https://sgnl.ai> <http

[OAUTH-WG] RPC Security workshop

Hi all, Subsequent to the presentations Rifaat , Kelley and I

[OAUTH-WG] RPC Security Standards Requirements Notes

latform provider or across multiple cloud platforms 4. If should be super efficient in order to not increase the latency or throughput of such a frequent action as a RPC I look forward to discussing this further in the side meetings. A PDF version of the notes is attached. Thanks, At

Re: [OAUTH-WG] OAuth WG Agenda @ IETF114

*A reminder *since* this is something new... On Mon, Jul 18, 2022 at 12:44 PM Atul Tulshibagwale wrote: > Hi all, > A reminder this is something new: If you are curious about what the "RPC > Security Standard" item on the agenda is, please review this blog post for >

Re: [OAUTH-WG] OAuth WG Agenda @ IETF114

Hi all, A reminder this is something new: If you are curious about what the "RPC Security Standard" item on the agenda is, please review this blog post for background information: https://sgnl.ai/2022/06/why-we-need-an-rpc-security-standard/ I hope to be able to highlight the issue, and gauge inte

[OAUTH-WG] Do we need a new RPC security standard?

Hi all, I'm new to this list, so let me start by introducing myself: I'm Atul Tulshibagwale, CTO of SGNL, a company that was started in Q4 last year, and which is focused on enterprise authorization solutions. I am also the co-chair of the OpenID Foundation's Shared Signals