Re: [OAUTH-WG] [EXTERNAL] Re: dpop_jkt Authorization Request Parameter

Thanks for this thoughtful analysis, Aaron. I believe you’re spot on that these attacks can occur “when the attacker has access to both the authorization code as well as the PKCE code verifier.” -- Mike From: OAuth On Behalf Of Aaron

Re: [OAUTH-WG] [EXTERNAL] Re: dpop_jkt Authorization Request Parameter

Hi all, I've been giving this some more thought. The problem occurs when the attacker has access to both the authorization code as well as the PKCE code verifier. The assumption being made with PKCE is that the first time the PKCE code verifier and authorization code are seen together is in the

Re: [OAUTH-WG] [EXTERNAL] Re: dpop_jkt Authorization Request Parameter

The only mention of sophistication is this logical fallacy: > > If this leading security company had been penetrated, it almost certainly > took an incredibly sophisticated attack. But it leaves out exactly what that was. And it doesn't give any insight into how this attack at MS would have

Re: [OAUTH-WG] [EXTERNAL] Re: dpop_jkt Authorization Request Parameter

Thanks for the comments and engagement Warren. The attacks we described and the ideas on mitigations are born out of attack vectors we are observing in the wild. They are not negligible. We are seeing a new class of very sophisticated attackers, and if you're interested, this article provides

Re: [OAUTH-WG] JWK Thumbprint URI Specification

On 29/11/2021 20:58, Mike Jones wrote: Hi DW,   Having the OAuth WG to add a new registration to a registry that it controls is fairly easy.  Our success in motivating and accomplishing registering a new

[OAUTH-WG] Francesca Palombini's No Objection on draft-ietf-oauth-iss-auth-resp-04: (with COMMENT)

Francesca Palombini has entered the following ballot position for draft-ietf-oauth-iss-auth-resp-04: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)

Re: [OAUTH-WG] Francesca Palombini's Discuss on draft-ietf-oauth-iss-auth-resp-03: (with DISCUSS)

Hi Francesca, Warren, Brian, we have modified the IANA Considerations section in the just uploaded version -04 according to your feedback. -Daniel Am 30.11.21 um 19:42 schrieb Francesca Palombini: > > Hi Warren, Brian, > >   > > Thanks for your feedback, and for confirming that the semantics of

Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-iss-auth-resp-03: (with COMMENT)

Hi Murray, thanks for your review and feedback. We have just uploaded version -04 which includes a fix for the missing quotation marks (which were not added by xml2rfc automatically for an unknown reason). -Daniel Am 02.12.21 um 07:01 schrieb Murray Kucherawy via Datatracker: > Murray

[OAUTH-WG] I-D Action: draft-ietf-oauth-iss-auth-resp-04.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Authorization Server Issuer Identification Authors : Karsten Meyer zu Selhausen