Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

Hi We've had a user asserting that OAuth2 == OpenidConnect, referring to the fact that the 'only' thing OIC adds on top of the authorization code flow is the client specifying few extra scopes like 'openid' and 'profile' and the authorization service returning an extra property, the id_token

[OAUTH-WG] (no subject)

Dikirim dari ponsel cerdas BlackBerry 10 saya dengan jaringan Telkomsel. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] open redirect in rfc6749

just sharing with you how this very “issue” has been lately used in a real life attack: http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html regards antonio On Oct 9, 2014, at 3:34 PM, Antonio Sanso asa...@adobe.com wrote: hi again *, apologies to bother you

Re: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-json-web-token-27: (with DISCUSS and COMMENT)

Repeating the note about acceptable algorithms in the JWT spec sounds fine. On Sat, Oct 11, 2014 at 1:54 PM, Mike Jones michael.jo...@microsoft.com wrote: From: Richard Barnes [mailto:r...@ipv.sx] Sent: Friday, October 10, 2014 2:37 PM To: Mike Jones Cc: The IESG;

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

Hi Justin, On 13/10/14 12:53, Justin Richer wrote: You are correct in that OAuth 2 and OpenID Connect are not the same thing, but your user is correct that OIDC adds a few pieces on top of OAuth to add authentication capabilities. OIDC was designed very explicitly to be compatible with vanilla

Re: [OAUTH-WG] Benoit Claise's Discuss on draft-ietf-oauth-saml2-bearer-21: (with DISCUSS and COMMENT)

Thanks for your review Benoit. I'm adding the working group to the thread so they're aware of your comments. Replies inline below... -Original Message- From: Benoit Claise [mailto:bcla...@cisco.com] Sent: Monday, October 13, 2014 6:34 AM To: The IESG Cc: Tom Taylor;

Re: [OAUTH-WG] Benoit Claise's Discuss on draft-ietf-oauth-saml2-bearer-21: (with DISCUSS and COMMENT)

On 13/10/2014 16:13, Mike Jones wrote: Thanks for your review Benoit. I'm adding the working group to the thread so they're aware of your comments. Replies inline below... -Original Message- From: Benoit Claise [mailto:bcla...@cisco.com] Sent: Monday, October 13, 2014 6:34 AM To:

Re: [OAUTH-WG] [OPS-DIR] ops-dir review of draft-ietf-oauth-jwt-bearer-10

Thanks for your review, Tim. I've added the working group to the thread so they're aware of your comments. Replies are inline below... -Original Message- From: Benoit Claise [mailto:bcla...@cisco.com] Sent: Monday, October 13, 2014 6:45 AM To: Tim Wicinski; ops-...@ietf.org;

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

On 13/10/14 15:17, Justin Richer wrote: You certainly can do authentication without using an access token, but then I would argue that's no longer OAuth. Basically you're making tofu carob fudge. Right, the access token is there for a client to get to the UserInfo endpoint, as far as OIDC is

Re: [OAUTH-WG] Benoit Claise's Discuss on draft-ietf-oauth-saml2-bearer-21: (with DISCUSS and COMMENT)

I'm adding the working group to this thread so they're aware of the discussion. Replies are inline below... From: Brian Campbell [mailto:brian.d.campb...@gmail.com] Sent: Monday, October 13, 2014 7:52 AM To: Barry Leiba Cc: Benoit Claise; The IESG; oauth-cha...@tools.ietf.org;

Re: [OAUTH-WG] Benoit Claise's Discuss on draft-ietf-oauth-saml2-bearer-21: (with DISCUSS and COMMENT)

Re-adding the working group to the thread... -Original Message- From: barryle...@gmail.com [mailto:barryle...@gmail.com] On Behalf Of Barry Leiba Sent: Monday, October 13, 2014 7:59 AM To: Brian Campbell Cc: Benoit Claise; The IESG; oauth-cha...@tools.ietf.org; draft-ietf-oauth-

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

The point to be made is if the client’s objective is to authenticate the User, the base 6749 spec does not guarantee this at all. It simply authorizes the client to access a resource and nothing more. It turns out that a significant part of the time authentication does occur, but the client

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

Hi Phil Thanks for the clarifications, On 13/10/14 20:18, Phil Hunt wrote: The point to be made is if the client’s objective is to authenticate the User, the base 6749 spec does not guarantee this at all. It simply authorizes the client to access a resource and nothing more. It turns out

Re: [OAUTH-WG] Blackhat US: OAuth Talk

Hi!, I have read through the paper, and what they consider a flaw in OAuth 2 is the fact that for the implicit grant flow the access token is sent to the client through the User Agent, and thus the User Agent can intercept it. What they find is that social network provider X allows the implicit

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

Sergey, Actually, I think your comments are fine. They add to the discussion on why A4C is distinct from OIDC’s larger IDP role in an OAuth style flow and why *both* are needed. Comments in line. Phil @independentid www.independentid.com phil.h...@oracle.com On Oct 13, 2014, at 1:24 PM,