Re: [OAUTH-WG] aud, JAR, PoP key distro, etc. (was Re: IETF 93 OAuth WG Meeting Minutes)

2015-11-06 Thread Justin Richer
I was considering preparing an "extended scopes" concept draft to define both a target parameter (what we're using "aud" for) as well as a temporal parameter, to sit beside scope which is more naturally an "extent of permission". We need the audience bit for HEART, and I know others that do

[OAUTH-WG] aud, JAR, PoP key distro, etc. (was Re: IETF 93 OAuth WG Meeting Minutes)

2015-11-06 Thread Brian Campbell
That's right, sorry, there's not actually a conflict now as the PoP key distribution draft currently only uses the 'aud' parameter at the token endpoint. I just assume it will end up being used at the authorization endpoint eventually because the need to disambiguate where the token will be used i

[OAUTH-WG] one more post-WGLC comment on draft-ietf-oauth-jwsreq-06

2015-11-06 Thread Brian Campbell
Section 3 has, "If signed, the Authorization Request Object SHOULD contain the Claims "iss" (issuer) and "aud" (audience) as members, with their semantics being the same as defined in the JWT [RFC7519

Re: [OAUTH-WG] some WGLC comments on draft-ietf-oauth-jwsreq-06

2015-11-06 Thread Brian Campbell
Apologies - I'd forgotten about the pending errata. On Wed, Oct 28, 2015 at 5:07 PM, Mike Jones wrote: > This working draft > http://openid.net/specs/openid-connect-registration-1_0-29.html > containing the OpenID Connect Dynamic Registration errata 2 edits to date > contains the registration re

[OAUTH-WG] (was Re: IETF 93 OAuth WG Meeting Minutes)

2015-11-06 Thread Brian Campbell
Adding those security considerations is probably a good idea but it doesn't actually address the question from my WGLC comments on draft-ietf-oauth-jwsreq-06 . The question was about what from an encrypted only Request Object should

[OAUTH-WG] IETF 93 OAuth WG Meeting Minutes

2015-11-06 Thread Hannes Tschofenig
Here are the meeting minutes from the f2f. Please drop us a message if there is something missing or incorrect. - IETF 93 OAuth WG Meeting Minutes Room 301 Time: 15:20-17:20 Date: Thursday, November 5, 2015 (JST) Chairs: Hannes Tschofenig + Derek Atkins (absent) Minute Taker: Kepeng Li (

Re: [OAUTH-WG] Your Review of the Native Apps Draft

2015-11-06 Thread Erik Wahlström
I posted my review comments here https://www.ietf.org/mail-archive/web/oauth/current/msg14835.html Reposing it because the first comment in my review is also the same question I asked in this meeting. The problem is mainly a us