https://surprisinglystaunchdemocratic.com/vmcgjtva4?key=eaff90a62179f2f5184419223192d723
On Sun, 30 Apr 2023, 12:01 AM , <oauth-requ...@ietf.org> wrote: > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth > or, via email, send a message with subject or body 'help' to > oauth-requ...@ietf.org > > You can reach the person managing the list at > oauth-ow...@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > > Today's Topics: > > 1. Protocol Action: 'OAuth 2.0 Demonstrating Proof-of-Possession > at the Application Layer (DPoP)' to Proposed Standard > (draft-ietf-oauth-dpop-16.txt) (The IESG) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 28 Apr 2023 15:11:44 -0700 > From: The IESG <iesg-secret...@ietf.org> > To: "IETF-Announce" <ietf-annou...@ietf.org> > Cc: The IESG <i...@ietf.org>, draft-ietf-oauth-d...@ietf.org, > oauth-cha...@ietf.org, oauth@ietf.org, r...@cert.org, > rfc-edi...@rfc-editor.org, rifaat.s.i...@gmail.com > Subject: [OAUTH-WG] Protocol Action: 'OAuth 2.0 Demonstrating > Proof-of-Possession at the Application Layer (DPoP)' to Proposed > Standard (draft-ietf-oauth-dpop-16.txt) > Message-ID: <168271990429.49518.565437942085290...@ietfa.amsl.com> > Content-Type: text/plain; charset="utf-8" > > The IESG has approved the following document: > - 'OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer > (DPoP)' > (draft-ietf-oauth-dpop-16.txt) as Proposed Standard > > This document is the product of the Web Authorization Protocol Working > Group. > > The IESG contact persons are Paul Wouters and Roman Danyliw. > > A URL of this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > > > > > Technical Summary > > This document describes a mechanism for sender-constraining OAuth 2.0 > tokens via a proof-of-possession mechanism on the application level. > This mechanism allows for the detection of replay attacks with access > and refresh tokens. > > Working Group Summary > > A large number of people reviewed the document over several rounds of > reviews > and provided feedback during meetings and on the mailing list, with no > blocking comments. > > Important clarifications to the document were made based on IETF LC. > > Document Quality > > There are a number of implementations: > > * The OpenID Foundation FAPI2 certification tools have implementations of / > tests > for (most of) DPoP as both an AS/RS & client. > > * Authlete has implemented DPoP as an AS / RS. > > * The Italian Attribute Authorization Infrastructure has an implementation > > https://docs.google.com/document/d/11KQPEs7sln7DbxLN7r7q3j2PymBSrYNlx5o-W3xHQsw/edit# > > * liboauth2 library used in OAuth 2.0 Resource Server modules for > Apache/NGINX > (mod_oauth2/ngx_oauth2_module) > https://github.com/zmartzone/liboauth2/blob/v1.4.5/src/dpop.c#L331-L441 > > * OSS Nimbus OAuth 2.0 / OIDC Java SDK > > https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/examples/oauth/dpop > > * c2id server > https://connect2id.com/products/server/docs/datasheet#dpop > > * Synamedia has implemented DPoP in OTT ServiceGuard - Advanced anti-piracy > security for OTT video services, that includes a secure client library > providing DPoP generation capabilities to an integrating application. > Synamedia > also supports DPoP as part of Synamedia Go ? using an Integrated OTT > ServiceGuard library in its clients and DPoP validation in its services to > provide a secure modular platform for OTT video services. > > * European Anti-Fraud Office (OLAF) defined a B2B solution for private > clients > based on the DPoP draft version 03. The solution describes the behavior of > the > Relying Party and the Resource Server. Implemented both RP and RS in JAVA > extending the Spring Framework to add the needed functionalities. > > * Keycloak: https://www.keycloak.org/ > DPoP status: work in progress (tentatively Keycloak 22) > > * Solid > Servers: > - Community Solid Server (opensource): > https://github.com/CommunitySolidServer/CommunitySolidServer - Enterprise > Solid > Server (commercial): > https://www.inrupt.com/products/enterprise-solid-server > > Client libraries: > - JavaScript: https://github.com/inrupt/solid-client-authn-js/ > - Java: https://github.com/janeirodigital/sai-authentication-java > > Note about Solid: it seems that they are following an older version of the > draft, and have some added behaviour not specified by the draft > > Personnel > > - Document Shepherd: Rifaat Shekh-Yusef > - Responsible Area Director: Roman Danyliw > > > > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ------------------------------ > > End of OAuth Digest, Vol 174, Issue 47 > ************************************** >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth