Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

Hello Brian, I don't think that's what I'm saying. Some of these concepts are difficult to reason about on a mailing list so I apologize for any miss or poor communication. When requesting a token, the resource or audience parameter can be used to indicate the target service where the client

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

JWT (which is RFC 7519 not 7515 ) does define the common/major fields of a JWT. But access tokens aren't necessarily JWTs. On Tue, Aug 1, 2017 at 4:53 AM, Denis wrote: > Hello Brian, > > I don't think that's what I'm sayi

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

Denis, Why is privacy a concern? OAuth is designed to have the Authorization Server be the issuer of tokens for a specific set of resource servers. The AS represents users on the Resource server. It does not represent users of the client - though they are often the same physical person, they

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

Brian, JWT (which is RFC 7519 not 7515 ) does define the common/major fields of a JWT. But access tokens aren't necessarily JWTs. Beyond this comment, would you be able to answer to the various points and questions ra

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

Phil, Originally, with OAuth the AS and the RS were co-located. Many additional RFCs made extensions and this assumption is no more valid. draft-ietf-oauth-token-exchange-09 is now opening a pandora box where an even more complex situation is envisaged (without explicitly stating it) there wo

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-03.txt

Thanks Justin. In my original announcement email, I should have given credit to Torsten as he made many of the updates in -03. So complements on improvements as well as blame for issues can be pointed to him as well! Your point about document structure is taken and we will look to make the separa

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

That access tokens aren't always JWTs means that JWT claims or headers cannot be relied on to figure out the issuer of an arbitrary access token. So it's not viable. That was what I was trying to convey as an answer to the various points and questions you made that were in any way related to the or

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

inline... Phil Oracle Corporation, Identity Cloud Services Architect & Standards @independentid www.independentid.com phil.h...@oracle.com > On Aug 1, 2017, at 12:56 PM, Denis wrote: > > Phil, > > Originally, with OAuth the AS and th

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-03.txt

I agree with Brian on the points about the difference between validating the certificate at the AS for client authentication and the RS. This was defiantly intentional. Lets face it people do a crap job of validating certificates in general. While browsers validating TLS certificates is no