Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

+1 ——— Dominick On 8. April 2019 at 20:21:21, William Denniss ( wdenniss=40google@dmarc.ietf.org) wrote: I support adoption of this draft as a working group document. On Mon, Apr 8, 2019 at 11:11 AM George Fletcher wrote: > +1 for me as well :) > > On 4/8/19 1:38 PM, Hans Zandbelt wrote:

Re: [OAUTH-WG] MTLS and SAN

Thanks for the clarifications everyone. Since I didn’t catch the one-and-only-one sentiment when reading the updates, I would recommend altering the text as follows in §2.1: The PKI (public key infrastructure) method of mutual TLS OAuth client authentication adheres to the way in which

Re: [OAUTH-WG] draft-fett-oauth-dpop-00

Corollary to this, are there thoughts of header protection under this method, and the associated issue of header modification? — Justin On Apr 8, 2019, at 7:23 PM, Phil Hunt mailto:phil.h...@oracle.com>> wrote: Question. One of the issues that Justin Richer’s signing draft tried to address

Re: [OAUTH-WG] draft-fett-oauth-dpop-00

Question. One of the issues that Justin Richer’s signing draft tried to address was url modification by tls terminators/load balencers/proxies/api gateways etc. How do you see this issue in dpop? Is it a problem? Phil > On Apr 3, 2019, at 9:01 AM, George Fletcher > wrote: > > Perfect!

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

"quotes my own articles on the matter extensively" - I know and almost mentioned that but didn't want to further embolden your ego :) Silence is rarely assent. Especially near the end of the last session of the last day of a workshop. And when I've got a train to catch. I am somewhat sympathetic

Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

+1 for me as well :) On 4/8/19 1:38 PM, Hans Zandbelt wrote: +1 Hans. On Mon, Apr 8, 2019, 19:34 John Bradley > wrote: I agree this should be adopted as a working group document. On 4/8/2019 7:07 PM, Hannes Tschofenig wrote: > Hi all, > > this

[OAUTH-WG] WGLC on draft-ietf-oauth-jwt-introspection-response-02

All, As discussed during the meeting in Prague, we are starting a WGLC on the *JWT Response for OAuth Token Introspection* document: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-introspection-response/ Please, review the document and provide feedback on any issues you see with the

Re: [OAUTH-WG] MTLS and SAN

Yes, the intent is that the client be configured (dynamically or statically or however that comes to be) with one and only one expected subject, which also includes the location in the certificate that subject will be. And that is checked against at authentication time. As the writer of the

Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

+1 Hans. On Mon, Apr 8, 2019, 19:34 John Bradley wrote: > I agree this should be adopted as a working group document. > > > On 4/8/2019 7:07 PM, Hannes Tschofenig wrote: > > Hi all, > > > > this is the call for adoption of the 'JWT Usage in OAuth2 Access > Tokens' document following the

Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

I agree this should be adopted as a working group document. On 4/8/2019 7:07 PM, Hannes Tschofenig wrote: Hi all, this is the call for adoption of the 'JWT Usage in OAuth2 Access Tokens' document following the positive feedback at the last IETF meeting in Prague. Here is the document:

Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

I support the draft's adoption. Best, *Filip Skokan* On Mon, 8 Apr 2019 at 19:07, Hannes Tschofenig wrote: > Hi all, > > this is the call for adoption of the 'JWT Usage in OAuth2 Access Tokens' > document following the positive feedback at the last IETF meeting in Prague. > > Here is the

[OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

Hi all, this is the call for adoption of the 'JWT Usage in OAuth2 Access Tokens' document following the positive feedback at the last IETF meeting in Prague. Here is the document: https://tools.ietf.org/html/draft-bertocci-oauth-access-token-jwt-00 Please let us know by April 22nd whether you

Re: [OAUTH-WG] Question regarding RFC 7800

Hi Carsten, I didn't see any specific issues. I'm trying to understand where the RFC stands, and why or why not it might be smart to implement and use it as it stands. My primary concern is compatibility with any anticipated changes to the RFC in advance of wide acceptance. Regards,

Re: [OAUTH-WG] Question regarding RFC 7800

Hi Robert, This raises the $64000 question: What piece of information made you consider that this draft might need more help? Maybe there is some miscommunication that we can fix. Grüße, Carsten > On Apr 3, 2019, at 12:14, Robert Lembree > wrote: > > Hello folks, > What

Re: [OAUTH-WG] Possible help with product design

Hi Milind, while there are lots of people on this list with hands-on experience with OAuth 2.0 the purpose of this mailing list is primarily for discussions related to the specifications developed by the OAuth working group. Here you can find our active working group specifications:

Re: [OAUTH-WG] Question regarding RFC 7800

Hi Robert, the work on RFC 7800 has been completed from the point of view of the OAuth working group. As Ludwig mentioned below, it is being used by other working groups in the IETF but also by companies as-is. Even in the OAuth working group we have other documents that build on top of it,

Re: [OAUTH-WG] Question regarding RFC 7800

On 03/04/2019 12:14, Robert Lembree wrote: Hello folks,     What is the status of RFC 7800?  We’re finding the need for this, and wonder what we might be able to do to help move this along? Regards, rob If I may be so bold to drop a shameless plug for the ACE WG here [1].