Hi
We've had a user asserting that "OAuth2 == OpenidConnect", referring to
the fact that the 'only' thing OIC adds on top of the authorization code
flow is the client specifying few extra scopes like 'openid' and
'profile' and the authorization service returning an extra property, the
id_toke
Dikirim dari ponsel cerdas BlackBerry 10 saya dengan jaringan Telkomsel.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
just sharing with you how this very “issue” has been lately used in a real life
attack:
http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html
regards
antonio
On Oct 9, 2014, at 3:34 PM, Antonio Sanso wrote:
> hi again *,
>
> apologies to bother you again with thi
Repeating the note about acceptable algorithms in the JWT spec sounds fine.
On Sat, Oct 11, 2014 at 1:54 PM, Mike Jones
wrote:
> > From: Richard Barnes [mailto:r...@ipv.sx]
> > Sent: Friday, October 10, 2014 2:37 PM
> > To: Mike Jones
> > Cc: The IESG; oauth-cha...@tools.ietf.org; oauth@ietf.org
Hi Justin,
On 13/10/14 12:53, Justin Richer wrote:
You are correct in that OAuth 2 and OpenID Connect are not the same
thing, but your user is correct that OIDC adds a few pieces on top of
OAuth to add authentication capabilities. OIDC was designed very
explicitly to be compatible with vanilla OA
Thanks for your review Benoit. I'm adding the working group to the thread so
they're aware of your comments. Replies inline below...
> -Original Message-
> From: Benoit Claise [mailto:bcla...@cisco.com]
> Sent: Monday, October 13, 2014 6:34 AM
> To: The IESG
> Cc: Tom Taylor; oauth-cha.
On 13/10/2014 16:13, Mike Jones wrote:
Thanks for your review Benoit. I'm adding the working group to the thread so
they're aware of your comments. Replies inline below...
-Original Message-
From: Benoit Claise [mailto:bcla...@cisco.com]
Sent: Monday, October 13, 2014 6:34 AM
To: The
Thanks for your review, Tim. I've added the working group to the thread so
they're aware of your comments. Replies are inline below...
> -Original Message-
> From: Benoit Claise [mailto:bcla...@cisco.com]
> Sent: Monday, October 13, 2014 6:45 AM
> To: Tim Wicinski; ops-...@ietf.org; dra
On 13/10/14 15:17, Justin Richer wrote:
You certainly can do authentication without using an access token, but
then I would argue that's no longer OAuth. Basically you're making tofu
carob fudge.
Right, the access token is there for a client to get to the UserInfo
endpoint, as far as OIDC is c
I'm adding the working group to this thread so they're aware of the discussion.
Replies are inline below...
> From: Brian Campbell [mailto:brian.d.campb...@gmail.com]
> Sent: Monday, October 13, 2014 7:52 AM
> To: Barry Leiba
> Cc: Benoit Claise; The IESG; oauth-cha...@tools.ietf.org;
> draft-
Re-adding the working group to the thread...
> -Original Message-
> From: barryle...@gmail.com [mailto:barryle...@gmail.com] On Behalf Of Barry
> Leiba
> Sent: Monday, October 13, 2014 7:59 AM
> To: Brian Campbell
> Cc: Benoit Claise; The IESG; oauth-cha...@tools.ietf.org; draft-ietf-oauth
Note that there is a 2nd conference call schedule for this Thursday:
http://www.ietf.org/mail-archive/web/oauth/current/msg13494.html
Participants:
* Brian Campbell
* Mike Jones
* William Kim
* John Bradley
* John Mandel
* Justin Richer
Notes:
The aim of the discussion here is to produce a
During the OAuth conference call today I asked whether someone had
looked at this paper published at the recent Blackhat US conference and
nobody knew about it.
Hence, I am posting it here:
* Paper:
https://www.blackhat.com/docs/us-14/materials/us-14-Hu-How-To-Leak-A100-Million-Node-Social-Graph
The point to be made is if the client’s objective is to authenticate the User,
the base 6749 spec does not guarantee this at all.
It simply authorizes the client to access a resource and nothing more.
It turns out that a significant part of the time authentication does occur, but
the client doe
Hi Phil
Thanks for the clarifications,
On 13/10/14 20:18, Phil Hunt wrote:
The point to be made is if the client’s objective is to authenticate the User,
the base 6749 spec does not guarantee this at all.
It simply authorizes the client to access a resource and nothing more.
It turns out that
Hi!,
I have read through the paper, and what they consider a flaw in OAuth 2 is
the fact that for the implicit grant flow the access token is sent to the
client through the User Agent, and thus the User Agent can intercept it.
What they find is that "social network provider X" allows the implicit
Sergey,
Actually, I think your comments are fine. They add to the discussion on why A4C
is distinct from OIDC’s larger IDP role in an OAuth style flow and why *both*
are needed.
Comments in line.
Phil
@independentid
www.independentid.com
phil.h...@oracle.com
On Oct 13, 2014, at 1:24 PM, Se
17 matches
Mail list logo
