Re: [OAUTH-WG] dpop_jkt Authorization Request Parameter PR Updated

Mon, 31 Jan 2022 19:28:17 -0800 

Thanks for the help, Brian.  I’ve updated the PR 
https://github.com/danielfett/draft-dpop/pull/89/ in the third 
commit<https://github.com/danielfett/draft-dpop/pull/89/commits/66b1e679376509ca38862dcbce2635ee307309b4>
 to address your comments.

Further reviews and feedback welcomed!

                                                       -- Mike

From: Brian Campbell <[email protected]>
Sent: Tuesday, January 25, 2022 9:13 AM
To: Mike Jones <[email protected]>
Cc: [email protected]
Subject: Re: [OAUTH-WG] dpop_jkt Authorization Request Parameter PR Updated

The text that talks about matching the code challenge needs to be fixed too.

https://github.com/danielfett/draft-dpop/pull/89/files#diff-cbb16c6731a89f7daa2f8f1963f5c005633f4273846af12926d187292cb3a66bR996

On Tue, Jan 25, 2022 at 7:37 AM Brian Campbell 
<[email protected]<mailto:[email protected]>> wrote:
The changes to the example to add PKCE aren't valid PKCE. The appendix from the 
original https://datatracker.ietf.org/doc/html/rfc7636#appendix-B might be a 
better place to borrow example content from.

I believe also that review comments had requested some treatment of the 
optionality/requiredness of the new dpop_jkt parameter.



On Mon, Jan 24, 2022 at 8:41 PM Mike Jones 
<[email protected]<mailto:[email protected]>>
 wrote:
I’ve addressed the review comments on the dpop_jkt PR 
https://github.com/danielfett/draft-dpop/pull/89/ in commit 
https://github.com/danielfett/draft-dpop/pull/89/commits/6e0ff26e9aa2bf9bf1aacf9ba2ce29de0c032004.
  Specifically, the commit:

  *   Specifies that SHA-256 is used for the JWK Thumbprint
  *   Adds PKCE to the example
  *   Describes how the attacks mitigated by DPoP binding of the authorization 
code can arise

                                                       -- Mike

_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately by 
e-mail and delete the message and any file attachments from your computer. 
Thank you.

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to