Re: [OAUTH-WG] Followup on draft-ietf-oauth-token-exchange-12.txt

-- Mike > > -Original Message- > From: OAuth <oauth-boun...@ietf.org> On Behalf Of Bill Burke > Sent: Thursday, May 17, 2018 2:11 PM > To: Brian Campbell <bcampb...@pingidentity.com> > Cc: oauth <oauth@ietf.org> > Subject: Re: [OAU

Re: [OAUTH-WG] Followup on draft-ietf-oauth-token-exchange-12.txt

tribution or disclosure by others is strictly prohibited.. If you have >> received this communication in error, please notify the sender immediately >> by e-mail and delete the message and any file attachments from your >> computer. Thank you. >> >> ___ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> ___ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited.. If you have > received this communication in error, please notify the sender immediately > by e-mail and delete the message and any file attachments from your > computer. Thank you. > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Bill Burke Red Hat ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] What Does Logout Mean?

On Fri, Mar 30, 2018 at 2:47 PM, Richard Backman, Annabelle wrote: > It sounds like you're asking the OP to provide client-side session management > as a service. There may be value in standardizing that, but I think it goes > beyond what Backchannel Logout is intended to

Re: [OAUTH-WG] What Does Logout Mean?

On Fri, Mar 30, 2018 at 12:57 PM, Richard Backman, Annabelle wrote: > > FWIW, our OP implementation allows RPs to register their node specific > logout endpoints at boot. This request is authenticated via client > authentication. We also extended code to token request to

Re: [OAUTH-WG] What Does Logout Mean?

> > Then,isn't any backchannel logout specification more of a framework than an actual protocol? -- Bill Burke Red Hat ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] What Does Logout Mean?

On Wed, Mar 28, 2018 at 1:40 PM, Richard Backman, Annabelle < richa...@amazon.com> wrote: > I'm reminded of this session from IIW 21 > . ☺ > I look forward to reading the document distilling the various competing use > cases and

Re: [OAUTH-WG] What Does Logout Mean?

ted at http://self-issued.info/?p=1804 and as > @selfissued. > > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Bill Burke Red Hat ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] [token-exchange] Parameters to support external token exchange

an then make an exchange request. For error conditions, the redirect_uri may by forwarded to with an additional 'error' query parameter depending on whether the IDP deams it safe to do so. Thanks, Bill [1] http://www.keycloak.org/docs/latest/securing_

Re: [OAUTH-WG] Token Exchange Implementations

> > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Bill Burke Red Hat ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Recommendations for browser-based apps

cookies" that allows you to programmatically remove this risk > in some modern browsers, it's worth reviewing. > > https://tools.ietf.org/html/draft-west-first-party-cookies-07 > > It's live in Chrome and Opera and will only grow in support. > http://caniuse.com/#search=samesite > >

Re: [OAUTH-WG] Recommendations for browser-based apps

clients. > > On Tue, Sep 19, 2017 at 4:47 PM, Phil Hunt (IDM) <phil.h...@oracle.com> > wrote: >> >> Except a refresh token is not purely bearer. The client is required to >> authenticate to use it. >> >> Phil >> >> > On Sep 19, 2017, at 2

Re: [OAUTH-WG] Recommendations for browser-based apps

in SPAs, if you have some recommendations for good blog posts > I would be grateful. > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Bill Burke Red Hat ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

token-exchange-09#section-3>) so the issuer is the given STS in that case. Cross domain is possible by use of other token types that are not opaque to the STS where the issuer can be inferred from the token. On Fri, Jul 28, 2017 at 3:27 PM, Bill Burke <bbu...@redhat.com <mailto:bbu...@red

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

token will be the AS/STS that issued it. A cross domain exchange could happen by a client presenting a subject_token from a different domain/issuer (that the AS/STS trusts) and receiving a token issued by that AS/STS suitable for the target domain. On Fri, Jul 28, 2017 at 9:06 AM, Bill Burke <

Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains

architectures. On 7/26/17 6:44 PM, Bill Burke wrote: Hi all, I'm looking at Draft 9 of the token-exchange spec. How would one build a request to: * exchange a token issued by a different domain to a client managed by the authorization server. * exchange a token issued by the

Re: [OAUTH-WG] Short lived access token and no refresh token

For browser apps, implicit flow provides an access token but no refresh token. For non-browser apps only client credentials grant doesn't supply a refresh token. As for token access times, I believe only extensions to OAuth define those types of capabilities. i.e. OpenID Connect defines a

Re: [OAUTH-WG] oauth with command line clients

sFJB6GEOh_Mv9k=Zn85klv9a00I3Uo74zgqAelgrFUFQc72PdFwg4gkECQ=> @aaronpk <https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_aaronpk=DwMDaQ=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk=j2jP9OSVjttUWWQMazHXMhLBvLqfXsFJB6GEOh_Mv9k=g5RjhR9W1VYt00S4dV0t9ijZ4gC4

Re: [OAUTH-WG] oauth with command line clients

On 6/12/17 12:20 PM, David Waite wrote: FYI, A few years ago I did a demonstration on OpenID Connect at Cloud Identity Summit using a collection of bash scripts and command-line utilities (nc, jq). I used the macOS system command ‘open’ to launch a browser, and netcat to field the response

Re: [OAUTH-WG] oauth with command line clients

flow. This option ends up being the most seamless since it works like a traditional flow without any special instructions to the user. Aaron Parecki aaronparecki.com <http://aaronparecki.com> @aaronpk <http://twitter.com/aaronpk> On Sun, Jun 11, 2017 at 8:52 PM, Bil

[OAUTH-WG] oauth with command line clients

thought into. Hope I'm making sense here. Thanks, Bill Burke Red Hat ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Google's use of Implicit Grant Flow

For our IDP [1], our javascript library uses the auth code flow, but requires a public client, redirect_uri validation, and also does CORS checks and processing. We did not like Implicit Flow because 1) access tokens would be in the browser history 2) short lived access tokens (seconds or

Re: [OAUTH-WG] redircet_uri matching algorithm

to implement and the state param larger and more complex. prefix matching seems like it would be a very common thing that an auth server supports and clients would want to have. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

Re: [OAUTH-WG] OAuth Token Swap (token chaining)

to obtain an access token on behalf of the user before it can invoke on the STS? Or can it be granted tokens for any user out of band without user consent or user authorization? -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

Re: [OAUTH-WG] AD review of Draft-ietf-dyn-reg

___ OAuth mailing list OAuth@ietf.org mailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Best regards, Kathleen ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Bill Burke

Re: [OAUTH-WG] user impersonation protocol?

adding a custom claim to the id token to indicate this is taking place. That way you can differentiate where needed, including in logs. -- Justin / Sent from my phone / Original message From: Bill Burke bbu...@redhat.com Date:02/15/2015 10:55 PM (GMT-05:00) To: oauth oauth@ietf.org

[OAUTH-WG] user impersonation protocol?

or some other IETF or even Connect effort that would support something like this? Thanks, Bill -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Confusion on Implicit Grant flow

request and not replayed from another session. Why would you need the nonce if the IDP guarantees that the code can only be used once? The code, state, and redirect-uri are all validated by the IDP with the access token request. Bill -- Bill Burke JBoss, a division of Red Hat http

Re: [OAUTH-WG] Confusion on Implicit Grant flow

#ResponseModes. Yeah, and it looks like you can use it for anything. It only defines default modes for various response types (code, token, etc.) -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com ___ OAuth mailing list OAuth

Re: [OAUTH-WG] Confusion on Implicit Grant flow

___ OAuth mailing list OAuth@ietf.org mailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Bill Burke JBoss, a division of Red Hat http

Re: [OAUTH-WG] Confusion on Implicit Grant flow

are probably more at risk using code than implicit. Implicit is risky because running a OAuth client in the browser is risky. Using code in that case makes it no better, and arguably worse. Perhaps I don't understand the environment. John B. On Feb 9, 2015, at 5:05 PM, Bill Burke bbu...@redhat.com

Re: [OAUTH-WG] open redirect in rfc6749

4, 2014, at 2:52 PM, Bill Burke bbu...@redhat.com wrote: FWIW, Antonio convinced me and I'm going to change this in our IDM project. Thanks Antonio. What convinced me was that the user is probably expecting a login screen. Since there is this expectation, it might make it a little easier

Re: [OAUTH-WG] open redirect in rfc6749

an error. *Error: invalid_scope* Some requested scopes were invalid. {invalid=[l]} said that I hope you all agree this is an issue in the spec so far…. regards antonio John B. On Sep 3, 2014, at 12:10 PM, Bill Burke bbu...@redhat.com mailto:bbu...@redhat.com mailto:bbu...@redhat.com mailto:bbu

Re: [OAUTH-WG] open redirect in rfc6749

://tools.ietf.org/html/rfc6749#section-4.1.2.1 ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com ___ OAuth

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

On 6/12/2014 4:18 PM, Phil Hunt wrote: Phil On Jun 12, 2014, at 12:50, Bill Burke bbu...@redhat.com wrote: On 6/12/2014 12:49 PM, Prateek Mishra wrote: The OpenID Connect 2.0 COre specification alone is 86 pages. It has received review from maybe a dozen engineers within the OpenID

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

Oauth2/JWT based and it was really easy to meet the minimal requirements of OIDC core. To create competing standards at IETF just because OIDC is not part of IETF, IMO, is a disservice to the community. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

towards. OIDC, for me at least, gave a much more complete direction for my project. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c

that any feature we wanted to define already existed in OpenID Connect. These guys have done great work. Aren't many of you here authors of this spec and/or the same companies?!? I think your energies are better focused on lobbying OIDC to join the IETF and this WG. -- Bill Burke JBoss

Re: [OAUTH-WG] Client authentication and assertion grants

and another deals with providing access tokens for clients to access application STS services :) Instead of just one auth server having to know about everything, you can delegate things to different servers. Am I on the right track? -- Bill Burke JBoss, a division of Red Hat http

Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer Shepherd Write-up

/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com ___ OAuth mailing list OAuth

Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up)

-oauth-jwt-bearer is only about interactions (client authentication and JWT as an authorization grant) with the token endpoint and doesn't define JWT style access tokens. On Fri, Apr 25, 2014 at 12:51 PM, Bill Burke bbu...@redhat.com mailto:bbu...@redhat.com wrote: Red Hat Keycloak [1] only

Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up)

is premature until an RFC is out for JWT? Or are people writing drafts for their own personal claims? Thanks. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman

Re: [OAUTH-WG] CORS and public vs. confidential clients

. Confidential clients may be used with the other flows (code, resource,..) that are capable of making a TLS call to a Token Endpoint. BTW, Is there a better list for these types of questions? Didn't have a lot of luck on the Google Group for OAuth. -- Bill Burke JBoss, a division of Red Hat http

[OAUTH-WG] CORS and public vs. confidential clients

document that describes the difference and pros/cons of public vs. confidential clients beyond the actual OAUTH spec itself? Thanks -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com ___ OAuth mailing list OAuth@ietf.org https

[OAUTH-WG] can public clients be as safe in Auth Code Grants?

. Hope its ok to post these kinds of questions here. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth