Re: [OAUTH-WG] DPoP and implicit/hybrid flows

2021-07-16 Thread John Bradley 
Yes FAL3 would be about binding the idToken not the access token so
different from what Mike proposed for implicit.



On Fri, Jul 16, 2021, 2:18 PM Justin Richer  wrote:

> Binding the access token is not required for FAL3. FAL has nothing to say
> about access tokens:
>
> https://pages.nist.gov/800-63-FAQ/#q-c8
>
> FAL3 is about presenting proof of a key representing the user alongside an
> assertion representing the user. In OIDC this would mean something like the
> ID token having a key identifier inside of it and the RP prompting the user
> for the key. This has nothing to do with access tokens, or even calling an
> identity API like a UserInfo Endpoint. DPoP doesn’t help with any of that
> since DPoP is about access tokens.
>
>  — Justin
>
> On Jul 16, 2021, at 1:18 PM, John Bradley  wrote:
>
> Binding the token would be required for OAuth or Connect to meet the
> SP800-63 FAL3 requirements.
>
> Something like DPoP might work.  I don't think DPoP itself should directly
> add support.
>
> I don't know if people really care about FAL3,  unfourtunatly the simple
> solution of using token-binding seems quite dead in browsers.
>
> John B.
>
>
>
>
>
> On Fri, Jul 16, 2021, 12:29 PM Justin Richer  wrote:
>
>> I personally hope we don’t. JAR already gives us signed requests at the
>> authorization endpoint, though the last piece would be binding the token.
>>
>>  — Justin
>>
>> > On Jul 15, 2021, at 6:47 PM, Dmitry Telegin > 40backbase@dmarc.ietf.org> wrote:
>> >
>> > Hi,
>> >
>> > The DPoP spec currently defines how to obtain a DPoP-bound token via
>> token endpoint invocations (namely, authorization_code and refresh_token
>> grants). But it is also possible to obtain access token prior to
>> code-to-token exchange, via OAuth implicit/hybrid flows.
>> >
>> > Do we have any plans to support DPoP in authorization endpoint (in
>> addition to token endpoint) and implicit/hybrid flows? Is yes, what it
>> might look like? a "dpop" request parameter or a "DPoP" header?
>> >
>> > Regards,
>> > Dmitry
>> > ___
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] DPoP and implicit/hybrid flows

2021-07-16 Thread Justin Richer 
Binding the access token is not required for FAL3. FAL has nothing to say about 
access tokens:

https://pages.nist.gov/800-63-FAQ/#q-c8 


FAL3 is about presenting proof of a key representing the user alongside an 
assertion representing the user. In OIDC this would mean something like the ID 
token having a key identifier inside of it and the RP prompting the user for 
the key. This has nothing to do with access tokens, or even calling an identity 
API like a UserInfo Endpoint. DPoP doesn’t help with any of that since DPoP is 
about access tokens.

 — Justin

> On Jul 16, 2021, at 1:18 PM, John Bradley  wrote:
> 
> Binding the token would be required for OAuth or Connect to meet the SP800-63 
> FAL3 requirements. 
> 
> Something like DPoP might work.  I don't think DPoP itself should directly 
> add support. 
> 
> I don't know if people really care about FAL3,  unfourtunatly the simple 
> solution of using token-binding seems quite dead in browsers. 
> 
> John B. 
> 
> 
> 
> 
> 
> On Fri, Jul 16, 2021, 12:29 PM Justin Richer  > wrote:
> I personally hope we don’t. JAR already gives us signed requests at the 
> authorization endpoint, though the last piece would be binding the token. 
> 
>  — Justin
> 
> > On Jul 15, 2021, at 6:47 PM, Dmitry Telegin 
> >  > > wrote:
> > 
> > Hi,
> > 
> > The DPoP spec currently defines how to obtain a DPoP-bound token via token 
> > endpoint invocations (namely, authorization_code and refresh_token grants). 
> > But it is also possible to obtain access token prior to code-to-token 
> > exchange, via OAuth implicit/hybrid flows.
> > 
> > Do we have any plans to support DPoP in authorization endpoint (in addition 
> > to token endpoint) and implicit/hybrid flows? Is yes, what it might look 
> > like? a "dpop" request parameter or a "DPoP" header?
> > 
> > Regards,
> > Dmitry
> > ___
> > OAuth mailing list
> > OAuth@ietf.org 
> > https://www.ietf.org/mailman/listinfo/oauth 
> > 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth 
> 

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] DPoP and implicit/hybrid flows

2021-07-16 Thread Brian Campbell 
Binding tokens issued directly from the authorization endpoint has been
intentionally considered out of scope for the main DPoP draft.

This draft
https://datatracker.ietf.org/doc/html/draft-jones-oauth-dpop-implicit-00
was written that explores what it might look like. But it hasn't seen a lot
of interest or momentum.

On Thu, Jul 15, 2021 at 4:47 PM Dmitry Telegin  wrote:

> Hi,
>
> The DPoP spec currently defines how to obtain a DPoP-bound token via token
> endpoint invocations (namely, authorization_code and refresh_token grants).
> But it is also possible to obtain access token prior to code-to-token
> exchange, via OAuth implicit/hybrid flows.
>
> Do we have any plans to support DPoP in authorization endpoint (in
> addition to token endpoint) and implicit/hybrid flows? Is yes, what it
> might look like? a "dpop" request parameter or a "DPoP" header?
>
> Regards,
> Dmitry
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] DPoP and implicit/hybrid flows

2021-07-16 Thread John Bradley 
Binding the token would be required for OAuth or Connect to meet the
SP800-63 FAL3 requirements.

Something like DPoP might work.  I don't think DPoP itself should directly
add support.

I don't know if people really care about FAL3,  unfourtunatly the simple
solution of using token-binding seems quite dead in browsers.

John B.





On Fri, Jul 16, 2021, 12:29 PM Justin Richer  wrote:

> I personally hope we don’t. JAR already gives us signed requests at the
> authorization endpoint, though the last piece would be binding the token.
>
>  — Justin
>
> > On Jul 15, 2021, at 6:47 PM, Dmitry Telegin  40backbase@dmarc.ietf.org> wrote:
> >
> > Hi,
> >
> > The DPoP spec currently defines how to obtain a DPoP-bound token via
> token endpoint invocations (namely, authorization_code and refresh_token
> grants). But it is also possible to obtain access token prior to
> code-to-token exchange, via OAuth implicit/hybrid flows.
> >
> > Do we have any plans to support DPoP in authorization endpoint (in
> addition to token endpoint) and implicit/hybrid flows? Is yes, what it
> might look like? a "dpop" request parameter or a "DPoP" header?
> >
> > Regards,
> > Dmitry
> > ___
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Call for adoption - OAuth Proof of Possession Tokens with HTTP Message Signatures

2021-07-16 Thread Rifaat Shekh-Yusef 
All,

This is a call for adoption for the *OAuth Proof of Possession Tokens with
HTTP Message Signatures* draft as a WG document:
https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/

Please, provide your feedback on the mailing list *by July 30th*.

Regards,
 Rifaat & Hannes
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] DPoP and implicit/hybrid flows

2021-07-16 Thread Justin Richer 
I personally hope we don’t. JAR already gives us signed requests at the 
authorization endpoint, though the last piece would be binding the token. 

 — Justin

> On Jul 15, 2021, at 6:47 PM, Dmitry Telegin 
>  wrote:
> 
> Hi,
> 
> The DPoP spec currently defines how to obtain a DPoP-bound token via token 
> endpoint invocations (namely, authorization_code and refresh_token grants). 
> But it is also possible to obtain access token prior to code-to-token 
> exchange, via OAuth implicit/hybrid flows.
> 
> Do we have any plans to support DPoP in authorization endpoint (in addition 
> to token endpoint) and implicit/hybrid flows? Is yes, what it might look 
> like? a "dpop" request parameter or a "DPoP" header?
> 
> Regards,
> Dmitry
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth