Re: [OAUTH-WG] Client Authentication Method at Device Authorization Endpoint

Dear Filip, Thank you for your comment. Historically, metadata related to client authentication methods have been defined for each endpoint such as token endpoint, introspection endpoint and revocation endpoint. When defining the CIBA specification, we discussed whether to define a new metadata fo

Re: [OAUTH-WG] Client Authentication Method at Device Authorization Endpoint

Hello Takahiko, Such language already exists in second to last paragraph of section 3.1. Like with CIBA the client’s regular token endpoint auth method is used at the device authorization endpoint. > The client authentication requirements of Section 3.2.1 of [RFC6749] apply to > requests on t

[OAUTH-WG] Client Authentication Method at Device Authorization Endpoint

Hello, Do you have any plan to define a rule as to which client authentication method should be used at the device authorization endpoint (which is defined in OAuth 2.0 Device Authorization Grant )? Section 4 of CIBA

[OAUTH-WG] Shepherd write-up for draft-ietf-oauth-jwt-introspection-response-03

All, The following is the shepherd write-up for the draft-ietf-oauth-jwt-introspection-response-03 document: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-introspection-response/shepherdwriteup/ Please, take a look and let us know if you have any comments. Regards, Rifaat __

Re: [OAUTH-WG] Device Authorization Grant Interval

What William said was my understanding as well. Best Regards, Janak On Mon, Jun 3, 2019 at 10:35 PM William Denniss wrote: > The "slow_down" error response is defined for well-meaning clients. In my > own client implementations, this has the effect of increasing the > interval used >

Re: [OAUTH-WG] Device Authorization Grant Interval

Is there something wrong with using the existing error code defined for this? >slow_down > A variant of "authorization_pending", the authorization request is > still pending and polling should continue, but the interval MUST > be increased by 5 seconds for this and all subsequen

Re: [OAUTH-WG] Device Authorization Grant Interval

Hi Joseph, Thank you for the information, this what I was also thinking. It would be nice if this can be defined in the specification itself, maybe as a recommendation as there can be wrongly written client applications or even if some party is trying to do a brute force attack. Best Regards, Jan

[OAUTH-WG] Second AD Review: draft-ietf-oauth-jwt-bcp-05

Hi! As a document I inherited in the "IESG:: Waiting for Writeup Internet-Drafts" , I conducted a second AD review. I have the following feedback: (1) Add additional references to the text (a) Section 2.1, bullet #2 - An "RS256" (RSA, 2048 bit) parameter value can be changed into "HS

[OAUTH-WG] oauth - New Meeting Session Request for IETF 105

A new meeting session request has just been submitted by Rifaat Shekh-Yusef, a Chair of the oauth working group. - Working Group Name: Web Authorization Protocol Area Name: Security Area Session Requester: Rifaat Shekh-Yusef Number of S