[OAUTH-WG] Dynamic Scopes

2018-06-18 Thread Torsten Lodderstedt
Hi all, I have been working lately on use cases where OAuth is used to authorize transactions in the financial sector and electronic signing. What I learned is there is always the need to pass resource ids (e.g. account numbers) or transaction-specific values (e.g. amount or hash to be signed)

Re: [OAUTH-WG] Meeting Invite for the OAuth WG Virtual Office Hours

2018-06-18 Thread Brian Campbell
I tried to join this morning but was the only one on the webex (of course, user error could be involved on my part). I didn't have much specific for the call but did want to politely ask the Chairs how the document shepherding was coming along for https://datatracker.ietf.org/doc/draft-ietf-oauth-

Re: [OAUTH-WG] Meeting Invite for the OAuth WG Virtual Office Hours

2018-06-18 Thread Rifaat Shekh-Yusef
Hmmm, I did open webex and waited for 10 minutes :) I will be traveling this week, but I will discuss it with Hannes in the coming few days and we will start working on the write-ups for the MTLS and JWT BCP documents soon. Regards, Rifaat On Mon, Jun 18, 2018 at 12:48 PM Brian Campbell wrote

Re: [OAUTH-WG] Dynamic Scopes

2018-06-18 Thread David Waite
One of the reasons I hear for people wanting parameterized scopes is to deal with transactions. I’d love to hear thoughts from the group on if/how OAuth should be used to authorize a transaction, vs authorize access to information/actions for a period of time. This approach for instance sounds

Re: [OAUTH-WG] Meeting Invite for the OAuth WG Virtual Office Hours

2018-06-18 Thread Hannes Tschofenig
Rifaat was on the call for 30mins but nobody joined. I couldn’t make it due to a delayed flight. Write-ups are in progress. Ciao Hannes From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: 18 June 2018 18:47 To: Hannes Tschofenig Cc: Subject: Re: [OAUTH-WG] Meeting Invite for the OA

Re: [OAUTH-WG] Meeting Invite for the OAuth WG Virtual Office Hours

2018-06-18 Thread Anthony Nadalin
I was dialed in and no one was there From: OAuth On Behalf Of Hannes Tschofenig Sent: Monday, June 18, 2018 2:06 PM To: Brian Campbell Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Meeting Invite for the OAuth WG Virtual Office Hours Rifaat was on the call for 30mins but nobody joined. I couldn’t

Re: [OAUTH-WG] Dynamic Scopes

2018-06-18 Thread Jacob Ideskog
This borderlines another problem we've been adressing which is when a client needs to pass on the request to an asyncronous queue. In that case the client can request the AS to "downscope" it's token, and include a signature of the request in the token. (simplified). The dynamic scope approach wou