Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT

2020-07-22 Thread Dominick Baier
Good point. Thanks, Brian. We should retrofit typs everywhere..in hindsight. ——— Dominick Baier On 22. July 2020 at 23:55:20, Brian Campbell (bcampb...@pingidentity.com) wrote: Because it wouldn't actually prevent it in this case due to JWT assertion client authentication (a.k.a.

Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT

2020-07-22 Thread Dominick Baier
Even more. Jwsreq should have it. But the authors decided against it. ——— Dominick Baier On 23. July 2020 at 07:38:04, Dominick Baier (dba...@leastprivilege.com) wrote: Good point. Thanks, Brian. We should retrofit typs everywhere..in hindsight. ——— Dominick Baier On 22. July 2020 at

Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-par-02.txt

2020-07-22 Thread Brian Campbell
Thanks Vladimir, both comments should be easy to address in -03 (HTTPS/TLS required and SHOULD on short lifetime *and* single use). On Sun, Jul 19, 2020 at 12:55 PM Vladimir Dzhuvinov wrote: > Thanks for the update. With the "require PAR" AS and client metadata the > spec is now "policy

Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT

2020-07-22 Thread Brian Campbell
Because it wouldn't actually prevent it in this case due to JWT assertion client authentication (a.k.a. private_key_jwt) having come about well before the JWT BCP and the established concept of using the 'typ' header to prevent cross-JWT confusion. Thus there's no validation rule regarding the

Re: [OAUTH-WG] Namespacing "type" in RAR

2020-07-22 Thread Torsten Lodderstedt
> On 22. Jul 2020, at 22:16, Vladimir Dzhuvinov wrote: > > > On 21/07/2020 18:43, Torsten Lodderstedt wrote: >> >>> On 21. Jul 2020, at 17:40, Vladimir Dzhuvinov >>> wrote: >>> >>> >>> >>> On 21/07/2020 17:47, Justin Richer wrote: > On Jul 19, 2020, at 1:04 PM, Vladimir Dzhuvinov

Re: [OAUTH-WG] Namespacing "type" in RAR

2020-07-22 Thread Vladimir Dzhuvinov
On 21/07/2020 18:43, Torsten Lodderstedt wrote: > >> On 21. Jul 2020, at 17:40, Vladimir Dzhuvinov >> wrote: >> >> >> >> On 21/07/2020 17:47, Justin Richer wrote: On Jul 19, 2020, at 1:04 PM, Vladimir Dzhuvinov wrote: On 18/07/2020 17:12, Justin Richer wrote: > I think

Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT

2020-07-22 Thread Dominick Baier
Why not use a typ header as suggested by the JWT BCP? ——— Dominick Baier On 22. July 2020 at 17:37:41, Brian Campbell ( bcampbell=40pingidentity@dmarc.ietf.org) wrote: The TL;DR here is a somewhat tentative suggestion that a brief security consideration be added to

[OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT

2020-07-22 Thread Brian Campbell
The TL;DR here is a somewhat tentative suggestion that a brief security consideration be added to https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ that prohibits the inclusion of a 'sub' claim containing the client id value in the request object JWT so as to prevent the request object JWT