Thanks for referring us to this spec. How I read it, every way to represent an
application identity may require specific verification rules (including typ
specific syntactical rules).
In my interpretation this means we must explicitly manage expected type and
value of the identifier used to ma
Since I brought this up initially, I want to re-voice my support for a general
mechanism. I think it makes sense to have something that all of the OAuth
JSON-spouting endpoints (introspection, token, revocation, registration,
discovery) can use to universally put out signed and/or encrypted JWTs
Would it make sense for these to be a different client_auth_method entirely?
Much the same way that we have private_key_jwt and client_secret_jwt today,
both of which use the JWT assertion framework but have very different keying
and security assumptions. In the same way, here you’re still valid
You might want to look at RFC6125 which covers this topic and provides
recommendations for representing application in certificates:
https://tools.ietf.org/html/rfc6125
Regards,
Rifaat
On Tue, Nov 6, 2018 at 3:53 PM Evan Gilman wrote:
> Response(s) inline
>
> On Mon, Nov 5, 2018 at 11:53 PM N
Response(s) inline
On Mon, Nov 5, 2018 at 11:53 PM Neil Madden wrote:
>
> Is there an intention that any semantics are attached to the SAN being a URI
> or DNS name or IP or ...? Or is it still intended to be an opaque identifier?
There are some extra things we could do if we attached type-spec
Thanks Hannes,
Since I wasn't able to give an intro during the meeting today, I'd like to
share a little more context about this here as well.
At the Internet Identity Workshop in Mountain View last week, I led a
session to collect feedback on recommendations for OAuth for browser based
apps. Dur
Hi all,
Today we were not able to talk about draft-parecki-oauth-browser-based-apps-00,
which describes "OAuth 2.0 for Browser-Based Apps".
Aaron put a few slides together, which can be found here:
https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessa-oauth-2-for-browser-bas
