arer token RFC.
>>
>> Cheers,
>>
>> Vladimir
>>
>>
>> On 16/09/2024 16:40, Pieter Kasselman wrote:
>>
>> Hi Vladimir
>>
>>
>>
>> Thanks for reading the draft and raising questions. See responses inline.
>>
>>
>>
>&
>
>
> On 16/09/2024 16:40, Pieter Kasselman wrote:
>
> Hi Vladimir
>
>
>
> Thanks for reading the draft and raising questions. See responses inline.
>
>
>
> Cheers
>
>
>
> Pieter
>
>
>
> *From:* Vladimir Dzhuvinov / Connect2id
>
>
Pieter
*From:*Vladimir Dzhuvinov / Connect2id
*Sent:* Friday 13 September 2024 07:50
*To:* oauth@ietf.org
*Subject:* [OAUTH-WG] Re: Call for adoption - First Party Apps
I read the proposed spec and it's evident substantial work has gone
into it. Congratulations for this.
How does the 1s
Hi Vladimir
Thanks for reading the draft and raising questions. See responses inline.
Cheers
Pieter
From: Vladimir Dzhuvinov / Connect2id
Sent: Friday 13 September 2024 07:50
To: oauth@ietf.org
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
I read the proposed spec and it&#
I read the proposed spec and it's evident substantial work has gone into
it. Congratulations for this.
How does the 1st party flow compare to the (deprecated in OAuth 2.1)
password grant? People with existing 1st party apps that rely on the
password grant or consider using it are going to look
Neil, I don't know if you've seen the several presentations I did at the
last few IETF meetings about this work, but a large part of the motivation
of this work is because *currently* people are bending over backwards to
provide a native user experience for their first party apps and doing so in
a
I agree with you that how we a 1P AS authenticates the user needs to be
carefully examined. You may be correct that how it is done needs to be
revised.
My point is that many deployments are 1P deployments, and the protocol can
be simpler for those use cases, which is the objective of the draft fro
I know that apps that accept credentials directly are common place. But the direction of travel has so far been to discourage that: eg deprecating ROPC, requiring use of an external vs embedded user-agent etc. (Sorry, I misremembered: it’s BCP 212 that requires this, not the security BCP — and it h
Neil
Users input credentials directly into apps all the time in OAuth -- it is
at the AS.
There are many deployments that use OAuth where the AS and RS are the same
party. The objective of this draft (as I understand it) is to provide a
simplified OAuth flow for this use case. The BCP does not ad
The draft is motivated by allowing native apps to provide a login journey for OAuth rather than using the browser. This encourages people to input credentials directly into apps, which (a) directly contradicts the advice in the security BCP, and (b) opens up users to significantly more attack vecto
I, as an author, support adoption of this draft.
From: Rifaat Shekh-Yusef
Sent: Tuesday 3 September 2024 11:47
To: oauth
Subject: [OAUTH-WG] Call for adoption - First Party Apps
All,
As per the discussion in Vancouver, this is a call for adoption for the First
Party Apps draft:
https://datatr
IMO, we're getting very off topic here. The WebAuthn text is not part of
the draft being called for adoption.
On Thu, Sep 5, 2024 at 2:15 AM Neil Madden wrote:
> On 5 Sep 2024, at 05:45, David Waite wrote:
> >
> >
> >
> >> On Sep 4, 2024, at 4:27 PM, Neil Madden
> wrote:
> >>
> >>> On 4 Sep
On 5 Sep 2024, at 05:45, David Waite wrote:
>
>
>
>> On Sep 4, 2024, at 4:27 PM, Neil Madden wrote:
>>
>>> On 4 Sep 2024, at 22:48, Watson Ladd wrote:
>>>
>>> I can always grab the cookie jar off the user browser if I have that
>>> level of access.
>>
>> USB access is not privileged, but
> On Sep 4, 2024, at 4:27 PM, Neil Madden wrote:
>
> On 4 Sep 2024, at 22:48, Watson Ladd wrote:
>>
>> I can always grab the cookie jar off the user browser if I have that
>> level of access.
>
> USB access is not privileged, but that’s beside the point.
>
> Put another way, the phishing-r
On 4 Sep 2024, at 22:48, Watson Ladd wrote:
>
> On Wed, Sep 4, 2024 at 2:46 PM Neil Madden wrote:
>>
>>
>>
>> On 4 Sep 2024, at 21:31, Tim Cappalli wrote:
>>
>>
>>>
>>> Thanks, that’s good to know. Does it preserve phishing resistance? Ie the
>>> app cannot spoof the rpId?
>>
>>
>> T
A native UI does not rule out WebAuthn/FIDO, in fact we have an in-progress
branch of the draft that shows how you could support passkeys with this
spec: https://github.com/aaronpk/oauth-first-party-apps/pull/93
While there isn't an RFC for authenticating first-party apps, there is
plenty of prece
I am a bit skeptical about this one. I’m not convinced we should be
recommending native UI until/unless we have a really good story around
authenticating first-party apps. Without such a story, I don’t think this
should be adopted. Unless I’m mistaken, a native UI also rules out
WebAuthn/FIDO-b
I, as an author of this draft, unsurprisingly support adoption.
Aaron
On Tue, Sep 3, 2024 at 3:47 AM Rifaat Shekh-Yusef
wrote:
> All,
>
> As per the discussion in Vancouver, this is a call for adoption for the
> First Party Apps draft:
> https://datatracker.ietf.org/doc/draft-parecki-oauth-fir
Hi
I strongly support adoption.
Joseph
> On 3 Sep 2024, at 11:46, Rifaat Shekh-Yusef wrote:
>
> All,
>
> As per the discussion in Vancouver, this is a call for adoption for the First
> Party Apps draft:
> https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/
>
> Please, re
+1
Am 04.09.24 um 15:30 schrieb David Brossard:
I support adoption
On Tue, Sep 3, 2024 at 4:03 AM Dick Hardt wrote:
I support adoption.
On Tue, Sep 3, 2024 at 11:47 AM Rifaat Shekh-Yusef
wrote:
All,
As per the discussion in Vancouver, this is a
call for
I support adoption
On Tue, Sep 3, 2024 at 4:03 AM Dick Hardt wrote:
> I support adoption.
>
> On Tue, Sep 3, 2024 at 11:47 AM Rifaat Shekh-Yusef <
> rifaat.s.i...@gmail.com> wrote:
>
>> All,
>>
>> As per the discussion in Vancouver, this is a call for adoption for the
>> First Party Apps draft:
I support adoption.
On Tue, Sep 3, 2024 at 11:47 AM Rifaat Shekh-Yusef
wrote:
> All,
>
> As per the discussion in Vancouver, this is a call for adoption for the
> First Party Apps draft:
> https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/
>
> Please, reply on the mailing lis
22 matches
Mail list logo
