Re: [OAUTH-WG] Using Referred Token Binding ID for Token Binding of Access Tokens

2016-11-13 Thread Torsten Lodderstedt 
thanks. So the underlying implementation is supposed to create the 
signed data (TokenBindingMessage) and the client (or library) is 
supposed to create the header?


Am 13.11.2016 um 15:43 schrieb Mike Jones:


The HTTP header is described in 
https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-2 
where it talks about a Sec-Token-Binding Header Field with a 
TokenBindingMessage with a TokenBinding structure with 
TokenBindingType of referred_token_binding.


The example is a good idea.

-- Mike

*From:*Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
*Sent:* Sunday, November 13, 2016 2:48 PM
*To:* Mike Jones <michael.jo...@microsoft.com>; oauth@ietf.org
*Subject:* Re: [OAUTH-WG] Using Referred Token Binding ID for Token 
Binding of Access Tokens


Hi Mike,

does this mean the binding ID is indicated to the authorization server 
via a respective HTTP header? I'm asking because I didn't find the 
respective parameter in the draft.


Could you add a HTTP request example? I think that would help a lot to 
better understand the mechanism.


best regards,
Torsten.

Am 20.09.2016 um 21:16 schrieb Mike Jones:

The OAuth Token Binding specification has been revised to use the
Referred Token Binding ID when performing token binding of access
tokens.  This was enabled by the Implementation Considerations in
the Token Binding HTTPS specification being added to make it clear
that Token Binding implementations will enable using the Referred
Token Binding ID in this manner.  Protected Resource Metadata was
also defined.

Thanks to Brian Campbell for clarifications on the differences
between token binding of access tokens issued from the
authorization endpoint versus those issued from the token endpoint.

The specification is available at:

·http://tools.ietf.org/html/draft-ietf-oauth-token-binding-01

An HTML-formatted version is also available at:

·http://self-issued.info/docs/draft-ietf-oauth-token-binding-01.html

-- Mike

P.S.  This notice was also posted at
http://self-issued.info/?p=1610 <http://self-issued.info/?p=1610>
and as @selfissued <https://twitter.com/selfissued>.




___

OAuth mailing list

OAuth@ietf.org <mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth



___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Using Referred Token Binding ID for Token Binding of Access Tokens

2016-11-12 Thread Mike Jones 
The HTTP header is described in 
https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-2 where it 
talks about a Sec-Token-Binding Header Field with a TokenBindingMessage with a 
TokenBinding structure with TokenBindingType of referred_token_binding.

The example is a good idea.

   -- Mike

From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
Sent: Sunday, November 13, 2016 2:48 PM
To: Mike Jones <michael.jo...@microsoft.com>; oauth@ietf.org
Subject: Re: [OAUTH-WG] Using Referred Token Binding ID for Token Binding of 
Access Tokens

Hi Mike,

does this mean the binding ID is indicated to the authorization server via a 
respective HTTP header? I'm asking because I didn't find the respective 
parameter in the draft.

Could you add a HTTP request example? I think that would help a lot to better 
understand the mechanism.

best regards,
Torsten.
Am 20.09.2016 um 21:16 schrieb Mike Jones:
The OAuth Token Binding specification has been revised to use the Referred 
Token Binding ID when performing token binding of access tokens.  This was 
enabled by the Implementation Considerations in the Token Binding HTTPS 
specification being added to make it clear that Token Binding implementations 
will enable using the Referred Token Binding ID in this manner.  Protected 
Resource Metadata was also defined.

Thanks to Brian Campbell for clarifications on the differences between token 
binding of access tokens issued from the authorization endpoint versus those 
issued from the token endpoint.

The specification is available at:

*   http://tools.ietf.org/html/draft-ietf-oauth-token-binding-01

An HTML-formatted version is also available at:

*   http://self-issued.info/docs/draft-ietf-oauth-token-binding-01.html

   -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1610 and as 
@selfissued<https://twitter.com/selfissued>.





___

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Using Referred Token Binding ID for Token Binding of Access Tokens

2016-09-20 Thread Mike Jones 
The OAuth Token Binding specification has been revised to use the Referred 
Token Binding ID when performing token binding of access tokens.  This was 
enabled by the Implementation Considerations in the Token Binding HTTPS 
specification being added to make it clear that Token Binding implementations 
will enable using the Referred Token Binding ID in this manner.  Protected 
Resource Metadata was also defined.

Thanks to Brian Campbell for clarifications on the differences between token 
binding of access tokens issued from the authorization endpoint versus those 
issued from the token endpoint.

The specification is available at:

*   http://tools.ietf.org/html/draft-ietf-oauth-token-binding-01

An HTML-formatted version is also available at:

*   http://self-issued.info/docs/draft-ietf-oauth-token-binding-01.html

   -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1610 and as 
@selfissued.

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth