Re: [OAUTH-WG] PAR: pushed requests must become JWTs

I would assume given the status of JAR, we don’t want to change it. And as I said, this difference does not impact interoperability from client perspective. > Am 09.01.2020 um 00:58 schrieb Richard Backman, Annabelle > : > >  > It would be more appropriate to add the text to JAR rather than PA

Re: [OAUTH-WG] review draft-ietf-oauth-security-topics-13 [2/3]

Hi Hans, Am 11.11.19 um 10:57 schrieb Hans Zandbelt: > > P17 > About the description of the mixup attack: as long as the attacker is > able to trigger a request (by having the user click a link) and read > the query/POST parameters on the A-AS (perhaps from the logs) he can > execute a mixup attac

Re: [OAUTH-WG] Cryptographic hygiene and the limits of jwks_uri

This a good thing to think about. Thanks for bringing this up, Annabelle. One thing that partially mitigates this is that the “use” and/or “key_ops” attributes can be provided. This can allow signing keys to be differentiated from encryption keys, for instance. I’m not as worried about encryp

Re: [OAUTH-WG] PAR: pushed requests must become JWTs

Thanks for the text proposal. It works for me. > Am 09.01.2020 um 20:34 schrieb Richard Backman, Annabelle > : > >  > If we address this in PAR, I suggest something along the lines of the > following: > > As defined in [JAR], the request_uri parameter is required to reference a > Request Ob

Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC response types + form_post response mode

The scenario I described in the beginning of this thread (response_type=token+id_token and response_mode=form_post) started out a bit more humbly as a way to facilitate a simple and efficient cross-domain sign-on with id_token response type and form_post response mode. Somewhat analogous to SAML SS

Re: [OAUTH-WG] -security-topics-13 and OIDC response types + form_post response mode

I completely agree with Brian’s analysis and suggestions. FYI, as far as how common this pattern is, “id_token token” with the Form Post Response Mode is the default for Microsoft Azure Active Directory identity interactions. You can view Alex Simon’s Identiverse presentations, including https

Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri

+1 to Annabelle's point Different crypto operations should be able to use separate key pairs to allow a separation of duties. ᐧ On Thu, Jan 9, 2020 at 4:25 PM Richard Backman, Annabelle wrote: > The “typ” field helps prevent misrepresentation of a legitimately issued > JWT, but it doesn’t addre