This is a follow-up of the OAuth workshop held in Zurich on July 13 th.
At the end of the first day, Sven Hammann made a presentation on the
following topic:
"A private mode for OpenID Connect"
Slide 14 indicated the motivation of the presentation :
The IdP learns at which Relying Parties (RP
Hi Yaron,
I don't actually know, which is why I raised the question in hopes that, if
possible, the BCP could provide some practical and actionable advice. But
I'll try and explain my (maybe naive) thoughts.
As I understand it CRIME/BREACH are adaptive-chosen-plaintext attacks that
work via malic
I think there may be some confusion between two different things that can use
JWT.
In OAuth a client asks for authorization to access some API set of resources.
The AS is supposed to gather consent.
In principal to construct some reasonable dialog for the user to grant the
consent and to be ab
I don't think that's what I'm saying. Some of these concepts are difficult
to reason about on a mailing list so I apologize for any miss or poor
communication.
When requesting a token, the resource or audience parameter can be used to
indicate the target service where the client intends to use the
Brian, thanks for the update. This is really coming along!
I think the spec would benefit from a more clear separation of the client
authentication and resource access sections. They’re really almost two
different but related specs, but there’s enough overlap that I think that
keeping them in t
