Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-06-02 Thread Benjamin Kaduk
Hi Denis, On Tue, Jun 02, 2020 at 10:20:36AM +0200, Denis wrote: > Hi Benjamin, > > Responses are between the lines. > > > On Fri, May 22, 2020 at 11:37:28AM +0200, Denis wrote: > >> Hi Benjamin, > >>> On Thu, May 14, 2020 at 04:29:43PM +0200, Denis wrote: > Since then, I questioned myself

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-06-02 Thread Benjamin Kaduk
On Mon, Jun 01, 2020 at 10:06:22PM +0530, Janak Amarasena wrote: > Hi all, > > My apologies, if this was already discussed. > > In section *4*. Validating JWT Access Tokens > > it > is stated; > > The resource server M

Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

2020-06-02 Thread Hannes Tschofenig
Let me try to jump in here in order to make a proposal for the text in the privacy consideration section: FROM: 6. Privacy Considerations As JWT access tokens carry information by value, it now becomes possible

Re: [OAUTH-WG] Downgrade attacks on PKCE

2020-06-02 Thread Gavin Henry
I note Ory Hydra forces PKCE for all types of clients already. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Downgrade attacks on PKCE

2020-06-02 Thread Vladimir Dzhuvinov
Thanks for laying out the solutions so neatly. We would prefer #2 the "dynamic" solution because it wouldn't require us to do any changes. I've had the impression that the unexpected code_verifier case was somehow covered as an error in RFC 7636 but checked the spec now and apparently it isn't. V

Re: [OAUTH-WG] Comments on draft-ietf-oauth-jwsreq-22 (The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request))

2020-06-02 Thread Denis
Hi Benjamin and Aaron, Note: This is also a reply to Aaron who wrote: Typically in OAuth it's the authorization server's job to inform users and protect access to their resources. Obviously in order to do that the AS must know about the details of the request. Can you please clar

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-06-02 Thread Denis
Hi Benjamin, Responses are between the lines. On Fri, May 22, 2020 at 11:37:28AM +0200, Denis wrote: Hi Benjamin, On Thu, May 14, 2020 at 04:29:43PM +0200, Denis wrote: Since then, I questioned myself how a client would be able to request an access token that would be *strictly compliant wit