Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

On Tue, Mar 31, 2020 at 09:33:35PM +, Vittorio Bertocci wrote: > > > I’ve already replied to the other thread, but I’ll note that “different > > strengths, different lifecycles” don’t matter much if the RS will accept > > both types of tokens, signed with either key. > point taken. I applied

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-05.txt

This version includes a quite large set of changes and additions- thanks Annabelle, George, Aaron, Brian, Filip. Will pick up the conversation on the main remaining item, audience & scopes, in the next few hours. On 3/31/20, 14:35, "OAuth on behalf of internet-dra...@ietf.org" wrote:

[OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-05.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens Author : Vittorio Bertocci File

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Thank you! I updated the language accordingly, and added a warning in the security section aligned with Annabelle’s concerns. Updating the draft shortly. From: Brian Campbell Date: Thursday, March 26, 2020 at 09:47 To: Vittorio Bertocci Cc: George Fletcher , Brian Campbell , oauth Subject: Re

Re: [OAUTH-WG] Error Responses in JWT Profile for OAuth 2.0 Access Tokens

Alrighty. I added language to explicitly call out 6570 and invalid_token... and eliminated step 7 in the validation for other reasons, indirectly obviating for the need to clarify the reauthentication signaling mechanism. Updating the draft shortly. On 3/25/20, 12:59, "vittorio.berto...@auth0.c

Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Thank you! I updated the language accordingly, and added a warning in the security section aligned with your concerns. Updating the draft shortly. Will pick up the audience/scope discussion right after that From: "Richard Backman, Annabelle" Date: Wednesday, March 25, 2020 at 17:53 To: Vittori

Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

I addressed all of the below, in line with your suggestion in nearly every case. I am updating the draft as there are many changes accumulated at this point- will pick up the audiences and scope discussion afterwards. > As evidenced by George’s questions, the individual descriptions are > conf

Re: [OAUTH-WG] RAR - Example JWT for Payment

The “type” is effectively a schema marker for the content of the authorization request object, and so it doesn’t need to be the same domain as the API that’s being hosted. Think of it this way: the type defines the API, this could be a standard body or some other org, and the location defines th

Re: [OAUTH-WG] IETF 107 Virtual OAuth Sessions

Sounds good to me! Aaron Parecki aaronparecki.com @aaronpk On Thu, Mar 26, 2020 at 1:05 PM Hannes Tschofenig wrote: > > Hi all, > > > > Rifaat and I had a chat about the virtual interim meetings. > > We decided to schedule 6 one-hour-long sessions with 2 topics per session. > > > > Here is