[OAUTH-WG] A token review of draft-parecki-oauth-v2-1-01

Been working on this on and off for a while now (it's not exactly short at 80+ pages, various other priorities, etc.) but wanted to share my thoughts from an initial review of the OAuth 2.1 draft before the interim next week where it is on the agenda

Re: [OAUTH-WG] Caution about open redirectors using the state parameter

I think the correct defence is to validate the URL (eg check against a whitelist) at the point you are going to redirect to it after the OAuth flow completes, rather than before you begin the OAuth flow. But this feels like generic web app security advice rather than anything specific to

Re: [OAUTH-WG] Caution about open redirectors using the state parameter

+1 However, we should be careful how we prohibit it... because if the state value is actually signed, having the URL there isn't a problem as the attacker can not manipulate the value without breaking the signature. On 4/20/20 5:28 PM, Mike Jones wrote: I've seen several circumstances where

Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Ouch! Sorry  fixed From: Dominick Baier Date: Tuesday, April 21, 2020 at 10:23 To: oauth , Rifaat Shekh-Yusef , Vittorio Bertocci Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" Oh and while we are at it - could you also fix the typo in my

Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

This feedback is from a Microsoft engineer on the Azure Active Directory identity team: * 1 * Missing space at “Tokens(JWT)” * 2.1 * Use of “MUST” saying one form must be used, followed by “SHOULD” saying a different format should be used is a bit confusing. I get the

Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Oh and while we are at it - could you also fix the typo in my name? Thanks ;) ——— Dominick Baier On 21. April 2020 at 09:43:49, Vittorio Bertocci ( vittorio.berto...@auth0.com) wrote: This is a great point. In my head I just considered the OIDC semantic and thought only of highlighting the app

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-21.txt

I'd agree that Vladimir's proposed wording is more meaningful/helpful. On Mon, Apr 20, 2020 at 12:12 AM Vladimir Dzhuvinov wrote: > Nat, John, thanks for updating the JAR spec. I just reviewed it, in > particular the authz request and the security considerations sections. > Choosing to make

Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

This is a great point. In my head I just considered the OIDC semantic and thought only of highlighting the app identity case, but you are absolutely right that not mentioning the user case at all is confusing. I added the language you suggested at the beginning of the sub definition. Thanks!