[OAUTH-WG] More Criticism of JOSE

Sorry to be the bearer of bad news, but here's a negative review of JOSE: JOSE (Javascript Object Signing and Encryption) is a Bad Standard That Everyone Should Avoid https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid - Mike __

[OAUTH-WG] Publishing authentication level as first amr value

Gluu is working on a free open source app called Cred Mgr: github.com/GluuFederation/cred-mgr As the name suggests, this app is a user-facing application that let's the person reset existing credentials and register new credentials. To avoid degrading the security of credentials, we want to m

Re: [OAUTH-WG] Using IdToken instead of Access token

Sergey, Since no one answered your question, let me pose a few questions to your questions! Wouldn't it give you more flexibility to issue a different token to represent access to the RS API? In terms of passing user claims, couldn't this be done via parameters in the API? Are you trying to do

Re: [OAUTH-WG] Multiple authorization servers for one resource server

This was the original requirement: " multiple authorization servers that can issue access tokens for one resource server, when the resource server receives an access token from a client application, as the first step, the resource server has to determine which authorization server to use for a

Re: [OAUTH-WG] Multiple authorization servers for one resource server

I like the idea of an encrypted JWT... I guess if there are multiple AS's, how would you know which key to use? Cycle through each key? Are you suggesting maybe use a non-encrypted JWT that contains an encrypted JWT as a value? Something like {"iss": "https://example.com";, "token": "fjbfgy5F

Re: [OAUTH-WG] Multiple authorization servers for one resource server

Kawasaki-san, This is a really good question: how to know the issuer of a bearer token. Is there a header that could be added to specify the issuer, or other important metadata? - Mike - Michael Schwartz Gluu Founder / CEO m...@gluu.org _

Re: [OAUTH-WG] 2nd Call for Adoption: Authentication Method Reference Values

OAuth Guru's, I know you are all going to approve this AMR spec anyway, but I'd just like to dissent. I think this specification is useless, and potentially harmful. Just as an example--two domains that use "face" as the amr probably have totally different algorithms, sensitivities, training

[OAUTH-WG] typo

You have a little typo in the abstract: "bearer tokens must to be protected from disclosure in transit and at rest." I think you mean "must be protected" - Mike - Michael Schwartz Gluu Founder / CEO m...@gluu.org __