[OAUTH-WG] Re: Feedback on draft-ietf-oauth-first-party-apps-00

Hi All, I created GitHub issues[1] #125 to #131 covering the feedback I provided through my previous email. [1] - https://github.com/oauth-wg/oauth-first-party-apps/issues Best Regards, Janak Amarasena On Fri, Nov 1, 2024 at 11:43 AM Janak Amarasena wrote: > Hi All, > > I have gon

[OAUTH-WG] Feedback on draft-ietf-oauth-first-party-apps-00

The authorization server MUST ensure that the same key is used in all subsequent Authorization Challenge Requests, or in the eventual token request…” I think it was meant to say “... Authorization Challenge Requests, and in the eventual token request…” Best Regards, Janak Amarasena

Re: [OAUTH-WG] Clarifications regarding aud claim in JWT AT profile

gards, Janak Amarasena On Fri, Jul 15, 2022 at 2:54 PM Warren Parad wrote: > The aud claim should be the "application" or "resource server" that the > token would be used with, neither the authorization server nor the client > that receives the token should be the va

[OAUTH-WG] Clarifications regarding aud claim in JWT AT profile

feels a bit counter intuitive as the client application would not generally consume the access token itself, but rather use it to access a resource. Best Regards, Janak Amarasena ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] JSON based access token requests for OAuth 2.1

he group yet. > > https://www.ietf.org/id/draft-richer-oauth-json-request-00.html > > Aaron > > > > > > > On Tue, Oct 6, 2020 at 7:18 AM Janak Amarasena > wrote: > >> Hi All, >> >> As per my understanding OAuth 2(RFC6749) doesn't m

[OAUTH-WG] JSON based access token requests for OAuth 2.1

ts on referencing the use of this as well for access token requests? Best Regards, Janak Amarasena ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

or code "invalid_token". If that is not the case, which kind of scenarios would occur for an AS to respond with the error code "invalid_token"? Best Regards, Janak Amarasena On Sun, May 31, 2020 at 2:25 AM Benjamin Kaduk wrote: > On Fri, May 22, 2020 at 11:37:28AM +0200, De

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-05-18

Hi Rifaat, Any chance of getting the recording of the meeting? Best Regards, Janak Amarasena On Tue, May 19, 2020 at 3:40 PM Rifaat Shekh-Yusef wrote: > Hi Filip, > > I have uploaded the slides to the materials page here: > > https://datatracker.ietf.org/meeting/interi

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-15.txt

pattern matching. Best Regards, Janak Amarasena On Fri, May 8, 2020 at 2:53 PM Denis wrote: > Hi Daniel, > > Thank you for pointing to your dissertation which has the following title > : An Expressive Formal Model of the Web Infrastructure. > > Since it is 240 pages lo

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-par-00.txt

ri parameter belongs to the authorization server." WDYT? Best Regards, Janak Amarasena On Mon, Sep 23, 2019 at 11:47 PM Torsten Lodderstedt < tors...@lodderstedt.net> wrote: > Hi Janak, > > thanks for your feedback to PAR as well. > > > On 22. Sep 2019, at 21:51, Jan

Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-par-00.txt

;client_id=s6BhdRkqt3* HTTP/1.1 Best Regards, Janak Amarasena On Sat, Sep 21, 2019 at 4:32 PM Torsten Lodderstedt wrote: > Hi all, > > I just published a new draft that Brian Campbell, Dave Tonge, Filip > Skokan, Nat Sakimura and I wrote. > > https://tools.ietf.org/html/draf

Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-rar-02.txt

etails" could be manipulated by the user(Resource Owner) as the client is trying to access the users' resources which the user is giving consent to? Also, the resulting token will contain the given permissions as well. Best Regards, Janak Amarasena On Sat, Sep 21, 2019 at 11:21 PM Torsten

Re: [OAUTH-WG] New OAuth for Browser-Based Apps draft -02

meant by the below statement. *If POSTs in particular from unsupported single-page applications* are to be rejected as errors per authorization server security policy... Best Regards, Janak Amarasena On Tue, Jul 9, 2019 at 6:43 AM Leo Tohill wrote: > I see now that my arguments for softening

Re: [OAUTH-WG] Device Authorization Grant Interval

reviously suggested seems > appropriate. > > > > On Mon, Jun 3, 2019 at 9:55 AM Janak Amarasena > wrote: > >> Hi Joseph, >> >> Thank you for the information, this what I was also thinking. It would be >> nice if this can be defined in the specificat

Re: [OAUTH-WG] Device Authorization Grant Interval

nse-when-client-polls > > The thought that group came up with is that returning ‘invalid_request’ > would be appropriate - ideally appropriate error_description to make it > easy to understand what’s going on. > > Cheers, > > Joseph > > > > On 21 May 201

[OAUTH-WG] Device Authorization Grant Interval

Hi all, In the OAuth2 Device Authorization Grant, what would be an appropriate response if the client does not respect the set polling interval and keeps on polling with a lower interval? Thank you, Best Regards, Janak Amarasena ___ OAuth mailing list