Re: [OAUTH-WG] DPoP followup I: freshness and coverage of signature

The basic theme from the web attacker community is: 1) XSS is a game over event to web clients. XSS can steal or abuse (request forgery) tokens, and more. 2) Even if you prevent stolen tokens from being used outside of a web client, XSS still allows the attacker to force a user to make any

Re: [OAUTH-WG] DPoP followup I: freshness and coverage of signature

Thanks Philippe, I very much concur with your line of reasoning and the important considerations. The scenario I was thinking of is: browser based client where XSS is used to exfiltrate the refresh token along with pre-computed proofs that would allow for the RT to be exchanged for new access

Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

Whaybdo I keep getting these messages and how did you hack my email Get Outlook for iOS From: OAuth on behalf of Warren Parad Sent: Wednesday, December 9, 2020 8:34:53 AM To: Karsten Meyer zu Selhausen Cc: oauth Subject: Re: [OAUTH-WG]

Re: [OAUTH-WG] DPoP followup I: freshness and coverage of signature

Do we have deployments in the field and client-side developers giving feedback / comments about the current DPoP, implementing it, and perhaps those concerns about the access token? Vladimir On 08/12/2020 23:47, Brian Campbell wrote: > Danial recently added some text to the working copy of the