[OAUTH-WG] I-D Action: draft-ietf-oauth-transaction-tokens-02.txt
Internet-Draft draft-ietf-oauth-transaction-tokens-02.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Transaction Tokens Authors: Atul Tulshibagwale George Fletcher Pieter Kasselman Name:draft-ietf-oauth-transaction-tokens-02.txt Pages: 28 Dates: 2024-06-21 Abstract: Transaction Tokens (Txn-Tokens) enable workloads in a trusted domain to ensure that user identity and authorization context of an external programmatic request, such as an API invocation, are preserved and available to all workloads that are invoked as part of processing such a request. Txn-Tokens also enable workloads within the trusted domain to optionally immutably assert to downstream workloads that they were invoked in the call chain of the request. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-transaction-tokens-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-transaction-tokens-02 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
[OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-09.txt
Internet-Draft draft-ietf-oauth-selective-disclosure-jwt-09.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Selective Disclosure for JWTs (SD-JWT) Authors: Daniel Fett Kristina Yasuda Brian Campbell Name:draft-ietf-oauth-selective-disclosure-jwt-09.txt Pages: 89 Dates: 2024-06-13 Abstract: This specification defines a mechanism for selective disclosure of individual elements of a JSON object used as the payload of a JSON Web Signature (JWS) structure. It encompasses various applications, including but not limited to the selective disclosure of JSON Web Token (JWT) claims. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-09.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-selective-disclosure-jwt-09 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
[OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-29.txt
Internet-Draft draft-ietf-oauth-security-topics-29.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Security Best Current Practice Authors: Torsten Lodderstedt John Bradley Andrey Labunets Daniel Fett Name:draft-ietf-oauth-security-topics-29.txt Pages: 59 Dates: 2024-06-03 Abstract: This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFC 6749, RFC 6750, and RFC 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-29.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-security-topics-29 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
[OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-28.txt
Internet-Draft draft-ietf-oauth-security-topics-28.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Security Best Current Practice Authors: Torsten Lodderstedt John Bradley Andrey Labunets Daniel Fett Name:draft-ietf-oauth-security-topics-28.txt Pages: 59 Dates: 2024-06-03 Abstract: This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFC 6749, RFC 6750, and RFC 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-28.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-security-topics-28 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
[OAUTH-WG] I-D Action: draft-ietf-oauth-attestation-based-client-auth-03.txt
Internet-Draft draft-ietf-oauth-attestation-based-client-auth-03.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Attestation-Based Client Authentication Authors: Tobias Looker Paul Bastian Name:draft-ietf-oauth-attestation-based-client-auth-03.txt Pages: 16 Dates: 2024-05-31 Abstract: This specification defines an extension to the OAuth 2 protocol as defined in [RFC6749] which enables a Client Instance to include a key-bound attestation in interactions with an Authorization Server or a Resource Server. This new method enables Client Instances involved in a client deployment that is traditionally viewed as a public client, to be able to utilize this key-bound attestation to authenticate. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-attestation-based-client-auth-03.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-attestation-based-client-auth-03 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
[OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-11.txt
Internet-Draft draft-ietf-oauth-v2-1-11.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: The OAuth 2.1 Authorization Framework Authors: Dick Hardt Aaron Parecki Torsten Lodderstedt Name:draft-ietf-oauth-v2-1-11.txt Pages: 96 Dates: 2024-05-14 Abstract: The OAuth 2.1 authorization framework enables an application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749 and the Bearer Token Usage in RFC 6750. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-11.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-v2-1-11 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
[OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-07.txt
Internet-Draft draft-ietf-oauth-cross-device-security-07.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Cross-Device Flows: Security Best Current Practice Authors: Pieter Kasselman Daniel Fett Filip Skokan Name:draft-ietf-oauth-cross-device-security-07.txt Pages: 55 Dates: 2024-05-13 Abstract: This document describes threats against cross-device flows along with practical mitigations, protocol selection guidance, and a summary of formal analysis results identified as relevant to the security of cross-device flows. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-07.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-07 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
[OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-27.txt
Internet-Draft draft-ietf-oauth-security-topics-27.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Security Best Current Practice Authors: Torsten Lodderstedt John Bradley Andrey Labunets Daniel Fett Name:draft-ietf-oauth-security-topics-27.txt Pages: 59 Dates: 2024-05-07 Abstract: This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFC 6749, RFC 6750, and RFC 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-27.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-security-topics-27 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
[OAUTH-WG] I-D Action: draft-ietf-oauth-resource-metadata-05.txt
Internet-Draft draft-ietf-oauth-resource-metadata-05.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Protected Resource Metadata Authors: Michael B. Jones Phil Hunt Aaron Parecki Name:draft-ietf-oauth-resource-metadata-05.txt Pages: 25 Dates: 2024-05-03 Abstract: This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-metadata/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-05 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-resource-metadata-05 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-18.txt
Internet-Draft draft-ietf-oauth-browser-based-apps-18.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 for Browser-Based Applications Authors: Aaron Parecki David Waite Philippe De Ryck Name:draft-ietf-oauth-browser-based-apps-18.txt Pages: 61 Dates: 2024-05-01 Abstract: This specification details the threats, attack consequences, security considerations and best practices that must be taken into account when developing browser-based applications that use OAuth 2.0. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-browser-based-apps. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-18.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-browser-based-apps-18 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-resource-metadata-04.txt
Internet-Draft draft-ietf-oauth-resource-metadata-04.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Protected Resource Metadata Authors: Michael B. Jones Phil Hunt Aaron Parecki Name:draft-ietf-oauth-resource-metadata-04.txt Pages: 25 Dates: 2024-04-26 Abstract: This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-metadata/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-04 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-resource-metadata-04 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-attestation-based-client-auth-02.txt
Internet-Draft draft-ietf-oauth-attestation-based-client-auth-02.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Attestation-Based Client Authentication Authors: Tobias Looker Paul Bastian Name:draft-ietf-oauth-attestation-based-client-auth-02.txt Pages: 14 Dates: 2024-04-21 Abstract: This specification defines a new method of client authentication for OAuth 2.0 [RFC6749] by extending the approach defined in [RFC7521]. This new method enables client deployments that are traditionally viewed as public clients to be able to authenticate with the authorization server through an attestation based authentication scheme. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-attestation-based-client-auth-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-attestation-based-client-auth-02 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-26.txt
Internet-Draft draft-ietf-oauth-security-topics-26.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Security Best Current Practice Authors: Torsten Lodderstedt John Bradley Andrey Labunets Daniel Fett Name:draft-ietf-oauth-security-topics-26.txt Pages: 60 Dates: 2024-04-21 Abstract: This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFC 6749, RFC 6750, and RFC 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. It further deprecates some modes of operation that are deemed less secure or even insecure. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-26.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-security-topics-26 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-06.txt
Internet-Draft draft-ietf-oauth-cross-device-security-06.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Cross-Device Flows: Security Best Current Practice Authors: Pieter Kasselman Daniel Fett Filip Skokan Name:draft-ietf-oauth-cross-device-security-06.txt Pages: 54 Dates: 2024-04-04 Abstract: This document describes threats against cross-device flows along with practical mitigations, protocol selection guidance, and a summary of formal analysis results identified as relevant to the security of cross-device flows. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-06.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-06 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-transaction-tokens-01.txt
Internet-Draft draft-ietf-oauth-transaction-tokens-01.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Transaction Tokens Authors: Atul Tulshibagwale George Fletcher Pieter Kasselman Name:draft-ietf-oauth-transaction-tokens-01.txt Pages: 22 Dates: 2024-03-16 Abstract: Transaction Tokens (Txn-Tokens) enable workloads in a trusted domain to ensure that user identity and authorization context of an external programmatic request, such as an API invocation, are preserved and available to all workloads that are invoked as part of processing such a request. Txn-Tokens also enable workloads within the trusted domain to optionally immutably assert to downstream workloads that they were invoked in the call chain of the request. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-transaction-tokens-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-transaction-tokens-01 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-sd-jwt-vc-03.txt
Internet-Draft draft-ietf-oauth-sd-jwt-vc-03.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: SD-JWT-based Verifiable Credentials (SD-JWT VC) Authors: Oliver Terbu Daniel Fett Brian Campbell Name:draft-ietf-oauth-sd-jwt-vc-03.txt Pages: 34 Dates: 2024-03-04 Abstract: This specification describes data formats as well as validation and processing rules to express Verifiable Credentials with JSON payloads with and without selective disclosure based on the SD-JWT [I-D.ietf-oauth-selective-disclosure-jwt] format. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-03.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-sd-jwt-vc-03 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-08.txt
Internet-Draft draft-ietf-oauth-selective-disclosure-jwt-08.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Selective Disclosure for JWTs (SD-JWT) Authors: Daniel Fett Kristina Yasuda Brian Campbell Name:draft-ietf-oauth-selective-disclosure-jwt-08.txt Pages: 84 Dates: 2024-03-04 Abstract: This specification defines a mechanism for selective disclosure of individual elements of a JSON object used as the payload of a JSON Web Signature (JWS) structure. It encompasses various applications, including but not limited to the selective disclosure of JSON Web Token (JWT) claims. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-08.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-selective-disclosure-jwt-08 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-status-list-02.txt
Internet-Draft draft-ietf-oauth-status-list-02.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Token Status List Authors: Tobias Looker Paul Bastian Christian Bormann Name:draft-ietf-oauth-status-list-02.txt Pages: 33 Dates: 2024-03-03 Abstract: This specification defines status list data structures and processing rules for representing the status of tokens secured by JSON Object Signing and Encryption (JOSE) or CBOR Object Signing and Encryption(COSE), such as JSON Web Tokens (JWTs), CBOR Web Tokens (CWTs) and ISO mdoc. The status list token data structures themselves are also represented as JWTs or CWTs. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-status-list-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-status-list-02 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-05.txt
Internet-Draft draft-ietf-oauth-cross-device-security-05.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Cross-Device Flows: Security Best Current Practice Authors: Pieter Kasselman Daniel Fett Filip Skokan Name:draft-ietf-oauth-cross-device-security-05.txt Pages: 54 Dates: 2024-03-01 Abstract: This document describes threats against cross-device flows along with practical mitigations, protocol selection guidance, and a summary of formal analysis results identified as relevant to the security of cross-device flows. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-05.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-05 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-17.txt
Internet-Draft draft-ietf-oauth-browser-based-apps-17.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 for Browser-Based Apps Authors: Aaron Parecki David Waite Philippe De Ryck Name:draft-ietf-oauth-browser-based-apps-17.txt Pages: 60 Dates: 2024-02-28 Abstract: This specification details the threats, attack consequences, security considerations and best practices that must be taken into account when developing browser-based applications that use OAuth 2.0. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-browser-based-apps. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-17.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-browser-based-apps-17 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-sd-jwt-vc-02.txt
Internet-Draft draft-ietf-oauth-sd-jwt-vc-02.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: SD-JWT-based Verifiable Credentials (SD-JWT VC) Authors: Oliver Terbu Daniel Fett Brian Campbell Name:draft-ietf-oauth-sd-jwt-vc-02.txt Pages: 34 Dates: 2024-02-27 Abstract: This specification describes data formats as well as validation and processing rules to express Verifiable Credentials with JSON payloads with and without selective disclosure based on the SD-JWT [I-D.ietf-oauth-selective-disclosure-jwt] format. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-sd-jwt-vc-02 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-identity-chaining-01.txt
Internet-Draft draft-ietf-oauth-identity-chaining-01.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth Identity and Authorization Chaining Across Domains Authors: Arndt Schwenkschuster Pieter Kasselmann Kelley Burgin Mike Jenkins Brian Campbell Name:draft-ietf-oauth-identity-chaining-01.txt Pages: 18 Dates: 2024-02-19 Abstract: This specification defines a mechanism to preserve identity information and federate authorization across trust domains that use the OAuth 2.0 Framework. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-identity-chaining. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-identity-chaining-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-identity-chaining-01 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-16.txt
Internet-Draft draft-ietf-oauth-browser-based-apps-16.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 for Browser-Based Apps Authors: Aaron Parecki David Waite Philippe De Ryck Name:draft-ietf-oauth-browser-based-apps-16.txt Pages: 59 Dates: 2024-02-16 Abstract: This specification details the threats, attack consequences, security considerations and best practices that must be taken into account when developing browser-based applications that use OAuth 2.0. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-browser-based-apps. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-16.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-browser-based-apps-16 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-25.txt
Internet-Draft draft-ietf-oauth-security-topics-25.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Security Best Current Practice Authors: Torsten Lodderstedt John Bradley Andrey Labunets Daniel Fett Name:draft-ietf-oauth-security-topics-25.txt Pages: 59 Dates: 2024-02-08 Abstract: This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in [RFC6749], [RFC6750], and [RFC6819] to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. It further deprecates some modes of operation that are deemed less secure or even insecure. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-25.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-security-topics-25 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-status-list-01.txt
Internet-Draft draft-ietf-oauth-status-list-01.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Token Status List Authors: Tobias Looker Paul Bastian Christian Bormann Name:draft-ietf-oauth-status-list-01.txt Pages: 25 Dates: 2024-02-05 Abstract: This specification defines status list data structures for representing the status of JSON Web Tokens (JWTs) [RFC7519] and CBOR Web Tokens (CWTs) [RFC8392]. The status list data structures themselves are also represented as JWTs or CWTs. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-status-list-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-status-list-01 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-resource-metadata-03.txt
Internet-Draft draft-ietf-oauth-resource-metadata-03.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Protected Resource Metadata Authors: Michael B. Jones Phil Hunt Aaron Parecki Name:draft-ietf-oauth-resource-metadata-03.txt Pages: 23 Dates: 2024-02-01 Abstract: This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-metadata/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-03 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-resource-metadata-03 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-resource-metadata-02.txt
Internet-Draft draft-ietf-oauth-resource-metadata-02.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Protected Resource Metadata Authors: Michael B. Jones Phil Hunt Aaron Parecki Name:draft-ietf-oauth-resource-metadata-02.txt Pages: 23 Dates: 2024-01-24 Abstract: This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-metadata/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-02 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-resource-metadata-02 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-10.txt
Internet-Draft draft-ietf-oauth-v2-1-10.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: The OAuth 2.1 Authorization Framework Authors: Dick Hardt Aaron Parecki Torsten Lodderstedt Name:draft-ietf-oauth-v2-1-10.txt Pages: 94 Dates: 2024-01-09 Abstract: The OAuth 2.1 authorization framework enables an application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749 and the Bearer Token Usage in RFC 6750. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-10.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-v2-1-10 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-07.txt
Internet-Draft draft-ietf-oauth-selective-disclosure-jwt-07.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Selective Disclosure for JWTs (SD-JWT) Authors: Daniel Fett Kristina Yasuda Brian Campbell Name:draft-ietf-oauth-selective-disclosure-jwt-07.txt Pages: 82 Dates: 2023-12-11 Abstract: This specification defines a mechanism for selective disclosure of individual elements of a JSON object used as the payload of a JSON Web Signature (JWS) structure. It encompasses various applications, including but not limited to the selective disclosure of JSON Web Token (JWT) claims. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-07.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-selective-disclosure-jwt-07 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-identity-chaining-00.txt
Internet-Draft draft-ietf-oauth-identity-chaining-00.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Identity Chaining across Trust Domains Authors: Arndt Schwenkschuster Pieter Kasselmann Kelley Burgin Mike Jenkins Brian Campbell Name:draft-ietf-oauth-identity-chaining-00.txt Pages: 18 Dates: 2023-12-01 Abstract: This specification defines a mechanism to preserve identity and call chain information across trust domains that use the OAuth 2.0 Framework. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-identity-chaining-00 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-transaction-tokens-00.txt
Internet-Draft draft-ietf-oauth-transaction-tokens-00.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Transaction Tokens Authors: Atul Tulshibagwale George Fletcher Pieter Kasselman Name:draft-ietf-oauth-transaction-tokens-00.txt Pages: 19 Dates: 2023-11-29 Abstract: Transaction Tokens (Txn-Tokens) enable workloads in a trusted domain to ensure that user identity and authorization context of an external programmatic request, such as an API invocation, are preserved and available to all workloads that are invoked as part of processing such a request. Txn-Tokens also enable workloads within the trusted domain to optionally immutably assert to downstream workloads that they were invoked in the call chain of the request. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-transaction-tokens-00 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-attestation-based-client-auth-01.txt
Internet-Draft draft-ietf-oauth-attestation-based-client-auth-01.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Attestation-Based Client Authentication Authors: Tobias Looker Paul Bastian Name:draft-ietf-oauth-attestation-based-client-auth-01.txt Pages: 14 Dates: 2023-10-23 Abstract: This specification defines a new method of client authentication for OAuth 2.0 [RFC6749] by extending the approach defined in [RFC7521]. This new method enables client deployments that are traditionally viewed as public clients to be able to authenticate with the authorization server through an attestation based authentication scheme. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-attestation-based-client-auth-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-attestation-based-client-auth-01 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-sd-jwt-vc-01.txt
Internet-Draft draft-ietf-oauth-sd-jwt-vc-01.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: SD-JWT-based Verifiable Credentials (SD-JWT VC) Authors: Oliver Terbu Daniel Fett Name:draft-ietf-oauth-sd-jwt-vc-01.txt Pages: 24 Dates: 2023-10-23 Abstract: This specification describes data formats as well as validation and processing rules to express Verifiable Credentials with JSON payloads with and without selective disclosure based on the SD-JWT [I-D.ietf-oauth-selective-disclosure-jwt] format. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-sd-jwt-vc-01 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-24.txt
Internet-Draft draft-ietf-oauth-security-topics-24.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Security Best Current Practice Authors: Torsten Lodderstedt John Bradley Andrey Labunets Daniel Fett Name:draft-ietf-oauth-security-topics-24.txt Pages: 62 Dates: 2023-10-23 Abstract: This document describes best current security practice for OAuth 2.0. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-24.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-security-topics-24 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt
Internet-Draft draft-ietf-oauth-selective-disclosure-jwt-06.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Selective Disclosure for JWTs (SD-JWT) Authors: Daniel Fett Kristina Yasuda Brian Campbell Name:draft-ietf-oauth-selective-disclosure-jwt-06.txt Pages: 90 Dates: 2023-10-23 Abstract: This specification defines a mechanism for selective disclosure of individual elements of a JSON object used as the payload of a JSON Web Signature (JWS) structure. It encompasses various applications, including but not limited to the selective disclosure of JSON Web Token (JWT) claims. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-06.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-selective-disclosure-jwt-06 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-15.txt
Internet-Draft draft-ietf-oauth-browser-based-apps-15.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 for Browser-Based Apps Authors: Aaron Parecki David Waite Philippe De Ryck Name:draft-ietf-oauth-browser-based-apps-15.txt Pages: 58 Dates: 2023-10-23 Abstract: This specification details the threats, attack consequences, security considerations and best practices that must be taken into account when developing browser-based applications that use OAuth 2.0. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-browser-based-apps. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-browser-based-apps-15 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-status-list-00.txt
Internet-Draft draft-ietf-oauth-status-list-00.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth Status List Authors: Tobias Looker Paul Bastian Christian Bormann Name:draft-ietf-oauth-status-list-00.txt Pages: 17 Dates: 2023-10-23 Abstract: This specification defines status list data structures for representing the status of JSON Web Tokens (JWTs) [RFC7519] and CBOR Web Tokens (CWTs) [RFC8392]. The status list data structures themselves are also represented as JWTs or CWTs. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-status-list-00.html Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-04.txt
Internet-Draft draft-ietf-oauth-cross-device-security-04.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Cross-Device Flows: Security Best Current Practice Authors: Pieter Kasselman Daniel Fett Filip Skokan Name:draft-ietf-oauth-cross-device-security-04.txt Pages: 53 Dates: 2023-10-22 Abstract: This document describes threats against cross-device flows along with near term mitigations, protocol selection guidance, and the analytical tools needed to evaluate the effectiveness of these mitigations. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-04.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-04 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-03.txt
Internet-Draft draft-ietf-oauth-cross-device-security-03.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Cross-Device Flows: Security Best Current Practice Authors: Pieter Kasselman Daniel Fett Filip Skokan Name:draft-ietf-oauth-cross-device-security-03.txt Pages: 53 Dates: 2023-10-22 Abstract: This document describes threats against cross-device flows along with near term mitigations, protocol selection guidance, and the analytical tools needed to evaluate the effectiveness of these mitigations. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-03.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-03 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-resource-metadata-01.txt
Internet-Draft draft-ietf-oauth-resource-metadata-01.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Protected Resource Metadata Authors: Michael B. Jones Phil Hunt Aaron Parecki Name:draft-ietf-oauth-resource-metadata-01.txt Pages: 22 Dates: 2023-10-20 Abstract: This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-metadata/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-01 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-resource-metadata-01 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-resource-metadata-00.txt
Internet-Draft draft-ietf-oauth-resource-metadata-00.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Protected Resource Metadata Authors: Michael B. Jones Phil Hunt Aaron Parecki Name:draft-ietf-oauth-resource-metadata-00.txt Pages: 21 Dates: 2023-09-06 Abstract: This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 protected resource. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-metadata/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-00 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-attestation-based-client-auth-00.txt
Internet-Draft draft-ietf-oauth-attestation-based-client-auth-00.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: OAuth 2.0 Attestation-Based Client Authentication Authors: Tobias Looker Paul Bastian Name:draft-ietf-oauth-attestation-based-client-auth-00.txt Pages: 14 Dates: 2023-08-31 Abstract: This specification defines a new method of client authentication for OAuth 2.0 [RFC6749] by extending the approach defined in [RFC7521]. This new method enables client deployments that are traditionally viewed as public clients to be able to authenticate with the authorization server through an attestation based authentication scheme. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-attestation-based-client-auth-00.html Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-sd-jwt-vc-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : SD-JWT-based Verifiable Credentials (SD-JWT VC) Authors : Oliver Terbu Daniel Fett Filename: draft-ietf-oauth-sd-jwt-vc-00.txt Pages : 22 Date: 2023-08-16 Abstract: This specification describes data formats as well as validation and processing rules to express Verifiable Credentials with JSON payloads based on the Selective Disclosure for JWTs (SD-JWT) [I-D.ietf-oauth-selective-disclosure-jwt] format. It can be used without any selective disclosable claims, too. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-00.html Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-09.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : The OAuth 2.1 Authorization Framework Authors : Dick Hardt Aaron Parecki Torsten Lodderstedt Filename: draft-ietf-oauth-v2-1-09.txt Pages : 90 Date: 2023-07-10 Abstract: The OAuth 2.1 authorization framework enables an application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749 and the Bearer Token Usage in RFC 6750. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-09.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-v2-1-09 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-02.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : Cross-Device Flows: Security Best Current Practice Authors : Pieter Kasselman Daniel Fett Filip Skokan Filename: draft-ietf-oauth-cross-device-security-02.txt Pages : 43 Date: 2023-07-10 Abstract: This document describes threats against cross-device flows along with near term mitigations, protocol selection guidance and the analytical tools needed to evaluate the effectiveness of these mitigations. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-02 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-05.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : Selective Disclosure for JWTs (SD-JWT) Authors : Daniel Fett Kristina Yasuda Brian Campbell Filename: draft-ietf-oauth-selective-disclosure-jwt-05.txt Pages : 84 Date: 2023-06-30 Abstract: This specification defines a mechanism for selective disclosure of individual elements of a JSON object used as the payload of a JSON Web Signature (JWS) structure. It encompasses various applications, including but not limited to the selective disclosure of JSON Web Token (JWT) claims. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-05.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-selective-disclosure-jwt-05 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-14.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : OAuth 2.0 for Browser-Based Apps Authors : Aaron Parecki David Waite Filename: draft-ietf-oauth-browser-based-apps-14.txt Pages : 35 Date: 2023-06-29 Abstract: This specification details the security considerations and best practices that must be taken into account when developing browser- based applications that use OAuth 2.0. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-browser-based-apps. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-14.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-browser-based-apps-14 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-17.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-17.txt Pages : 18 Date: 2023-06-26 Abstract: It is not uncommon for resource servers to require different authentication strengths or recentness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request does not meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or recentness when processing an authorization request. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-17.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-step-up-authn-challenge-17 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-16.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-16.txt Pages : 18 Date: 2023-06-26 Abstract: It is not uncommon for resource servers to require different authentication strengths or recentness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request does not meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or recentness when processing an authorization request. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-16.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-step-up-authn-challenge-16 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-23.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : OAuth 2.0 Security Best Current Practice Authors : Torsten Lodderstedt John Bradley Andrey Labunets Daniel Fett Filename: draft-ietf-oauth-security-topics-23.txt Pages : 62 Date: 2023-06-05 Abstract: This document describes best current security practice for OAuth 2.0. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-23.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-security-topics-23 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-16.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) Authors : Daniel Fett Brian Campbell John Bradley Torsten Lodderstedt Michael Jones David Waite Filename: draft-ietf-oauth-dpop-16.txt Pages : 49 Date: 2023-04-13 Abstract: This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-dpop-16 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-15.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-15.txt Pages : 18 Date: 2023-04-13 Abstract: It is not uncommon for resource servers to require different authentication strengths or recentness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request does not meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or recentness when processing an authorization request. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-15.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-step-up-authn-challenge-15 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-15.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) Authors : Daniel Fett Brian Campbell John Bradley Torsten Lodderstedt Michael Jones David Waite Filename: draft-ietf-oauth-dpop-15.txt Pages : 51 Date: 2023-04-13 Abstract: This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-15.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-dpop-15 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-04.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : Selective Disclosure for JWTs (SD-JWT) Authors : Daniel Fett Kristina Yasuda Brian Campbell Filename: draft-ietf-oauth-selective-disclosure-jwt-04.txt Pages : 70 Date: 2023-04-11 Abstract: This document specifies conventions for creating JSON Web Token (JWT) documents that support selective disclosure of JWT claims. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-selective-disclosure-jwt. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-04.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-selective-disclosure-jwt-04 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-14.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-14.txt Pages : 18 Date: 2023-04-05 Abstract: It is not uncommon for resource servers to require different authentication strengths or recentness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request does not meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or recentness when processing an authorization request. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-14.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-step-up-authn-challenge-14 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-08.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : The OAuth 2.1 Authorization Framework Authors : Dick Hardt Aaron Parecki Torsten Lodderstedt Filename: draft-ietf-oauth-v2-1-08.txt Pages : 88 Date: 2023-03-13 Abstract: The OAuth 2.1 authorization framework enables an application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749 and the Bearer Token Usage in RFC 6750. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-v2-1-08 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-13.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : OAuth 2.0 for Browser-Based Apps Authors : Aaron Parecki David Waite Filename: draft-ietf-oauth-browser-based-apps-13.txt Pages : 34 Date: 2023-03-13 Abstract: This specification details the security considerations and best practices that must be taken into account when developing browser- based applications that use OAuth 2.0. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-browser-based-apps. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-13.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-browser-based-apps-13 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-01.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : Cross-Device Flows: Security Best Current Practice Authors : Pieter Kasselman Daniel Fett Filip Skokan Filename: draft-ietf-oauth-cross-device-security-01.txt Pages : 40 Date: 2023-03-13 Abstract: This document describes threats against cross-device flows along with near term mitigations, protocol selection guidance and the analytical tools needed to evaluate the effectiveness of these mitigations. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-01.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-cross-device-security-01 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : Selective Disclosure for JWTs (SD-JWT) Authors : Daniel Fett Kristina Yasuda Brian Campbell Filename: draft-ietf-oauth-selective-disclosure-jwt-03.txt Pages : 69 Date: 2023-03-13 Abstract: This document specifies conventions for creating JSON Web Token (JWT) documents that support selective disclosure of JWT claims. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-selective-disclosure-jwt. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-03.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-selective-disclosure-jwt-03 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-22.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title : OAuth 2.0 Security Best Current Practice Authors : Torsten Lodderstedt John Bradley Andrey Labunets Daniel Fett Filename: draft-ietf-oauth-security-topics-22.txt Pages : 60 Date: 2023-03-13 Abstract: This document describes best current security practice for OAuth 2.0. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-22.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-security-topics-22 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-14.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) Authors : Daniel Fett Brian Campbell John Bradley Torsten Lodderstedt Michael Jones David Waite Filename: draft-ietf-oauth-dpop-14.txt Pages : 47 Date: 2023-03-08 Abstract: This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-14.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-dpop-14 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-13.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-13.txt Pages : 18 Date: 2023-03-06 Abstract: It is not uncommon for resource servers to require different authentication strengths or recentness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request does not meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or recentness when processing an authorization request. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-13.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-step-up-authn-challenge-13 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-12.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-12.txt Pages : 17 Date: 2023-02-24 Abstract: It is not uncommon for resource servers to require different authentication strengths or recentness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request does not meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or recentness when processing an authorization request. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-12.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-step-up-authn-challenge-12 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-11.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This Internet-Draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-11.txt Pages : 17 Date: 2023-02-17 Abstract: It is not uncommon for resource servers to require different authentication strengths or recentness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request doesn't meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or recentness when processing an authorization request. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-11.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-step-up-authn-challenge-11 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-rar-23.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Rich Authorization Requests Authors : Torsten Lodderstedt Justin Richer Brian Campbell Filename: draft-ietf-oauth-rar-23.txt Pages : 45 Date: 2023-01-30 Abstract: This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-rar-23.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-rar-23 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-13.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) Authors : Daniel Fett Brian Campbell John Bradley Torsten Lodderstedt Michael Jones David Waite Filename: draft-ietf-oauth-dpop-13.txt Pages : 46 Date: 2023-01-20 Abstract: This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-13.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-dpop-13 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-10.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-10.txt Pages : 16 Date: 2023-01-12 Abstract: It is not uncommon for resource servers to require different authentication strengths or recentness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request doesn't meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or recentness when processing an authorization request. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-10.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-step-up-authn-challenge-10 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-09.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-09.txt Pages : 16 Date: 2023-01-12 Abstract: It is not uncommon for resource servers to require different authentication strengths or recentness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request doesn't meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or recentness when processing an authorization request. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-09.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-step-up-authn-challenge-09 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-12.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) Authors : Daniel Fett Brian Campbell John Bradley Torsten Lodderstedt Michael Jones David Waite Filename: draft-ietf-oauth-dpop-12.txt Pages : 46 Date: 2022-12-29 Abstract: This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-12.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-dpop-12 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-rar-22.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Rich Authorization Requests Authors : Torsten Lodderstedt Justin Richer Brian Campbell Filename: draft-ietf-oauth-rar-22.txt Pages : 45 Date: 2022-12-22 Abstract: This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-rar-22.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-rar-22 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-08.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-08.txt Pages : 16 Date: 2022-12-19 Abstract: It is not uncommon for resource servers to require different authentication strengths or freshness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request doesn't meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or freshness when processing an authorization request. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-08.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-step-up-authn-challenge-08 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-07.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-07.txt Pages : 16 Date: 2022-12-16 Abstract: It is not uncommon for resource servers to require different authentication strengths or freshness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request doesn't meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or freshness when processing an authorization request. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-07.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-step-up-authn-challenge-07 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-rar-21.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Rich Authorization Requests Authors : Torsten Lodderstedt Justin Richer Brian Campbell Filename: draft-ietf-oauth-rar-21.txt Pages : 46 Date: 2022-12-15 Abstract: This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-rar-21.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-rar-21 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-rar-20.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Rich Authorization Requests Authors : Torsten Lodderstedt Justin Richer Brian Campbell Filename: draft-ietf-oauth-rar-20.txt Pages : 46 Date: 2022-12-15 Abstract: This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-rar-20.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-rar-20 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-rar-19.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Rich Authorization Requests Authors : Torsten Lodderstedt Justin Richer Brian Campbell Filename: draft-ietf-oauth-rar-19.txt Pages : 45 Date: 2022-12-12 Abstract: This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-rar-19.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-rar-19 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-rar-18.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Rich Authorization Requests Authors : Torsten Lodderstedt Justin Richer Brian Campbell Filename: draft-ietf-oauth-rar-18.txt Pages : 45 Date: 2022-12-08 Abstract: This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-rar-18.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-rar-18 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : Cross-Device Flows: Security Best Current Practice Authors : Pieter Kasselman Daniel Fett Filip Skokan Filename: draft-ietf-oauth-cross-device-security-00.txt Pages : 31 Date: 2022-12-07 Abstract: This document describes threats against cross-device flows along with near term mitigations, protocol selection guidance and the analytical tools needed to evaluate the effectiveness of these mitigations. It serves as a security guide to system designers, architects, product managers, security specialists, fraud analysts and engineers implementing cross-device flows. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-cross-device-security-00.html Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-02.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : Selective Disclosure for JWTs (SD-JWT) Authors : Daniel Fett Kristina Yasuda Brian Campbell Filename: draft-ietf-oauth-selective-disclosure-jwt-02.txt Pages : 59 Date: 2022-12-07 Abstract: This document specifies conventions for creating JSON Web Token (JWT) documents that support selective disclosure of JWT claims. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-selective-disclosure-jwt. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-02.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-selective-disclosure-jwt-02 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-12.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 for Browser-Based Apps Authors : Aaron Parecki David Waite Filename: draft-ietf-oauth-browser-based-apps-12.txt Pages : 33 Date: 2022-12-06 Abstract: This specification details the security considerations and best practices that must be taken into account when developing browser- based applications that use OAuth 2.0. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-browser-based-apps. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-12.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-browser-based-apps-12 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-rar-17.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Rich Authorization Requests Authors : Torsten Lodderstedt Justin Richer Brian Campbell Filename: draft-ietf-oauth-rar-17.txt Pages : 45 Date: 2022-12-02 Abstract: This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-rar-17.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-rar-17 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-rar-16.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Rich Authorization Requests Authors : Torsten Lodderstedt Justin Richer Brian Campbell Filename: draft-ietf-oauth-rar-16.txt Pages : 46 Date: 2022-11-22 Abstract: This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-rar-16.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-rar-16 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-06.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-06.txt Pages : 16 Date: 2022-11-06 Abstract: It is not uncommon for resource servers to require different authentication strengths or freshness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request doesn't meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or freshness when processing an authorization request. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-06.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-step-up-authn-challenge-06 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-rar-15.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Rich Authorization Requests Authors : Torsten Lodderstedt Justin Richer Brian Campbell Filename: draft-ietf-oauth-rar-15.txt Pages : 45 Date: 2022-11-06 Abstract: This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-rar-15.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-rar-15 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-07.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : The OAuth 2.1 Authorization Framework Authors : Dick Hardt Aaron Parecki Torsten Lodderstedt Filename: draft-ietf-oauth-v2-1-07.txt Pages : 86 Date: 2022-10-24 Abstract: The OAuth 2.1 authorization framework enables an application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749 and the Bearer Token Usage in RFC 6750. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-07.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-v2-1-07 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-01.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : Selective Disclosure for JWTs (SD-JWT) Authors : Daniel Fett Kristina Yasuda Filename: draft-ietf-oauth-selective-disclosure-jwt-01.txt Pages : 56 Date: 2022-10-24 Abstract: This document specifies conventions for creating JSON Web Token (JWT) documents that support selective disclosure of JWT claim values. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-selective-disclosure-jwt. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-01.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-selective-disclosure-jwt-01 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-rar-14.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Rich Authorization Requests Authors : Torsten Lodderstedt Justin Richer Brian Campbell Filename: draft-ietf-oauth-rar-14.txt Pages : 45 Date: 2022-10-24 Abstract: This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-rar-14.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-rar-14 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-rar-13.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Rich Authorization Requests Authors : Torsten Lodderstedt Justin Richer Brian Campbell Filename: draft-ietf-oauth-rar-13.txt Pages : 45 Date: 2022-10-24 Abstract: This document specifies a new parameter authorization_details that is used to carry fine-grained authorization data in OAuth messages. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-rar-13.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-rar-13 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-05.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-05.txt Pages : 15 Date: 2022-10-11 Abstract: It is not uncommon for resource servers to require different authentication strengths or freshness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request doesn't meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or freshness when processing an authorization request. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-05.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-step-up-authn-challenge-05 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-04.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-04.txt Pages : 15 Date: 2022-10-10 Abstract: It is not uncommon for resource servers to require different authentication strengths or freshness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request doesn't meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or freshness when processing an authorization request. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-04.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-step-up-authn-challenge-04 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-21.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Security Best Current Practice Authors : Torsten Lodderstedt John Bradley Andrey Labunets Daniel Fett Filename: draft-ietf-oauth-security-topics-21.txt Pages : 56 Date: 2022-09-27 Abstract: This document describes best current security practice for OAuth 2.0. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-21.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-21 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-03.txt Pages : 15 Date: 2022-09-14 Abstract: It is not uncommon for resource servers to require different authentication strengths or freshness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request doesn't meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or freshness when processing an authorization request. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-03.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-step-up-authn-challenge-03 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-11.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 for Browser-Based Apps Authors : Aaron Parecki David Waite Filename: draft-ietf-oauth-browser-based-apps-11.txt Pages : 29 Date: 2022-09-13 Abstract: This specification details the security considerations and best practices that must be taken into account when developing browser- based applications that use OAuth 2.0. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-browser-based-apps. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-11.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-browser-based-apps-11 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-browser-based-apps-10.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 for Browser-Based Apps Authors : Aaron Parecki David Waite Filename: draft-ietf-oauth-browser-based-apps-10.txt Pages : 26 Date: 2022-09-06 Abstract: This specification details the security considerations and best practices that must be taken into account when developing browser- based applications that use OAuth 2.0. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Web Authorization Protocol Working Group mailing list (oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-browser-based-apps. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-10.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-browser-based-apps-10 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : Selective Disclosure for JWTs (SD-JWT) Authors : Daniel Fett Kristina Yasuda Filename: draft-ietf-oauth-selective-disclosure-jwt-00.txt Pages : 31 Date: 2022-08-25 Abstract: This document specifies conventions for creating JSON Web Token (JWT) documents that support selective disclosure of JWT claim values. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-00.html Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-11.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) Authors : Daniel Fett Brian Campbell John Bradley Torsten Lodderstedt Michael Jones David Waite Filename: draft-ietf-oauth-dpop-11.txt Pages : 44 Date: 2022-08-10 Abstract: This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dpop-11 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-security-topics-20.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Security Best Current Practice Authors : Torsten Lodderstedt John Bradley Andrey Labunets Daniel Fett Filename: draft-ietf-oauth-security-topics-20.txt Pages : 56 Date: 2022-07-28 Abstract: This document describes best current security practice for OAuth 2.0. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-20.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-security-topics-20 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-v2-1-06.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : The OAuth 2.1 Authorization Framework Authors : Dick Hardt Aaron Parecki Torsten Lodderstedt Filename: draft-ietf-oauth-v2-1-06.txt Pages : 84 Date: 2022-07-24 Abstract: The OAuth 2.1 authorization framework enables a third-party application to obtain limited access to a protected resource, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and an authorization service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-06.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-v2-1-06 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-02.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-02.txt Pages : 13 Date: 2022-07-24 Abstract: It is not uncommon for resource servers to require different authentication strengths or freshness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request doesn't meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or freshness when processing an authorization request. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-02.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-step-up-authn-challenge-02 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-dpop-10.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) Authors : Daniel Fett Brian Campbell John Bradley Torsten Lodderstedt Michael Jones David Waite Filename: draft-ietf-oauth-dpop-10.txt Pages : 43 Date: 2022-07-11 Abstract: This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-10.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dpop-10 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] I-D Action: draft-ietf-oauth-step-up-authn-challenge-01.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Step-up Authentication Challenge Protocol Authors : Vittorio Bertocci Brian Campbell Filename: draft-ietf-oauth-step-up-authn-challenge-01.txt Pages : 13 Date: 2022-07-11 Abstract: It is not uncommon for resource servers to require different authentication strengths or freshness according to the characteristics of a request. This document introduces a mechanism for a resource server to signal to a client that the authentication event associated with the access token of the current request doesn't meet its authentication requirements and specify how to meet them. This document also codifies a mechanism for a client to request that an authorization server achieve a specific authentication strength or freshness when processing an authorization request. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-step-up-authn-challenge/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-01.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-step-up-authn-challenge-01 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
