[OAUTH-WG] Grant flow for delegated auth

Hi, My Auth Server (AS) implementation has a client (server of another platform) which makes authorization on it's side but it needs to populate user info to my AS and receive an access token to work with my my platform. What I mean that they need just login user to my platform but without user's

Re: [OAUTH-WG] Grant flow for delegated auth

Take a look at RFC 7523 's JWT Authorization Grant. On Thu, May 24, 2018 at 1:17 AM, Sergey Ponomarev wrote: > Hi, > > My Auth Server (AS) implementation has a client (server of another > platform) which makes authorization on it's side but it needs to popul

Re: [OAUTH-WG] Comments on draft-ietf-oauth-security-topics-06.txt

Hi Denis, This presentation is only describing one attack. Page 12 summarises it. The attack is not a full attack targeted against oauth, but it shows how a malicious network can steal any codes returned to the browser in the URL, even if the codes are always sent over TLS. I was only respondi

[OAUTH-WG] I-D Action: draft-ietf-oauth-reciprocal-00.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : Reciprocal OAuth Author : Dick Hardt Filename: draft-ietf-oauth-reciprocal-00.txt

Re: [OAUTH-WG] OAUTB for Access Token in Implicit Grant

Yeah, that's what is implied. At least given the way that https://tools.ietf.org/html/draft-ietf-tokbind-https provides to signal to the client to reveal the Referred Token Binding. I've heard that there's some potential for the Fetch spec to provide some APIs or controls around Token Binding, whi