Yes I think merging the drafts and not reusing PKCE is the correct path. Protection for code in the browser redirect also needs to be added to fully protect the w
On Aug 23, 2016, at 4:54 PM, William Denniss <[email protected]> wrote: +1 to adopt. I would like us to develop a unified approach and merge the current drafts. On Tue, Aug 23, 2016 at 7:58 AM Torsten Lodderstedt <[email protected]> wrote: > +1 > > I would also propose to focus use of token binding to detect replay of > tokens (access, refresh, code) > > > Am 22.08.2016 um 23:02 schrieb Brian Campbell: > > I agree with Tony, if I understand what he's saying. > https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> > was largely a straw-man to get the conversation started. But after talking > with people in Berlin, reviewing Dirk's document, and thinking about it > some more - it's not clear that PKCE is a great fit for token binding the > authorization code. > > Token binding the authorization code is, I think, something we want to > account for. But using/extending PKCE might not be the way to go about it. > And whatever approach we land on should probably be just one part of the > larger document on OAuth 2.0 Token Binding. > > On Tue, Aug 16, 2016 at 3:26 PM, Anthony Nadalin <[email protected]> > wrote: > >> I’m OK with the https://tools.ietf.org/html/draft-jones-oauth-token- >> binding-00 >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> >> but not sure that https://tools.ietf.org/html/ >> draft-campbell-oauth-tbpkce-00 >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> >> is a good starting point as we would want a more generic solution for PoP >> tokens in general >> >> >> >> *From:* OAuth [mailto:[email protected]] *On Behalf Of *Brian >> Campbell >> *Sent:* Tuesday, August 16, 2016 11:45 AM >> *To:* Hannes Tschofenig < <[email protected]> >> [email protected]> >> *Cc:* [email protected] >> *Subject:* Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0 >> >> >> Just a friendly reminder that the 'deadline' for this call for adoption >> is tomorrow. >> >> >> According to the minutes from Berlin >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>, >> 13 people were in favor of adopting OAuth 2.0 Token Binding and 0 were >> against. >> >> >> On Wed, Aug 3, 2016 at 1:45 AM, Hannes Tschofenig < >> <[email protected]>[email protected]> wrote: >> >> Hi all, >> >> this is the call for adoption of the 'OAuth 2.0 Token Binding' document >> bundle* following the positive call for adoption at the recent IETF >> meeting in Berlin. >> >> Here are the links to the documents presented at the last IETF meeting: >> https://tools.ietf.org/html/draft-jones-oauth-token-binding-00 >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> >> https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> >> >> Please let us know by August 17th whether you accept / object to the >> adoption of this document as a starting point for work in the OAuth >> working group. >> >> Ciao >> Hannes & Derek >> >> *: We will find out what the best document structure is later, i.e., >> whether the content should be included in one, two or multiple documents. >> >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d> >> >> >> > > > > _______________________________________________ > OAuth mailing [email protected]https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
