Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-03.txt

Hi Justin, thanks for reviewing the draft. > Am 01.08.2017 um 21:57 schrieb Brian Campbell : > > Thanks Justin. > > In my original announcement email, I should have given credit to Torsten as > he made many of the updates in -03. So complements on improvements as well as > blame for issues

Re: [OAUTH-WG] How could an IdP create an id token for one audience RP without knowing for which RP ?

+1 > Am 31.07.2017 um 16:01 schrieb John Bradley : > > For access tokens I would like to see a use case for a completely = > decoupled and anonymous RS that is not just a misuse of OAuth for = > Authentication, before trying to add a feature like this. smime.p7s Description: S/MIME cryptographi

Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

Before I make a change. Do we know if some browsers don’t support Referrer-Policy and may still need Content-Security-Policy. We could recommend sending both or provide some hint about browser strings to look for. John B. > On Aug 2, 2017, at 6:46 PM, Brian Campbell wrote: > > Not sure of t

Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

Brian To answer my own question to some extent, this page has support status for the browsers: http://caniuse.com/#feat=referrer-policy It looks like only FireFox supports strict-origin. Most of them support origin. Some like IE, Opera Mini and older versions of Android (4) don’t support Ref

Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

Really all I know is that recent versions of Chrome complain that referrer is an unrecognized Content-Security-Policy directive, which led me to look up the changes and content in my original message. On Thu, Aug 3, 2017 at 9:35 AM, John Bradley wrote: > Brian > > To answer my own question to so

Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

No one ever said that browsers are consistent. I think Chrome has supported a subset of the new header for a while but won’t have full support until Chrome 61 gets out of beta. Is chrome showing a user visible error with the old header? Easiest thing would be to use the new header and deny acce

Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

No, Chrome only shows the error message deep inside the developer tools console. On Thu, Aug 3, 2017 at 10:51 AM, John Bradley wrote: > No one ever said that browsers are consistent. > > I think Chrome has supported a subset of the new header for a while but > won’t have full support until Chrom

Re: [OAUTH-WG] draft-ietf-oauth-closing-redirectors has obsolete header for referer control

Good, so you could send both to be safe without it breaking. John B. > On Aug 3, 2017, at 12:55 PM, Brian Campbell > wrote: > > No, Chrome only shows the error message deep inside the developer tools > console. > > On Thu, Aug 3, 2017 at 10:51 AM, John Bradley > wr