Re: [OAUTH-WG] Transaction Tokens issuance in the absence of incoming token

Hello Atul, As an alternative to Token Exchange and separate (new) endpoint, have you ever considered OAuth 2.0 Extension Grants ? This could give us more flexibility as will let us define our own set of input parameters and validation

Re: [OAUTH-WG] Call for adoption - Transaction Tokens

ote: > Hi Dmitry, > Even if it doesn't count (and I too am not familiar with the voting > rules), you can still record your vote by sending an email to this list. > > The issue tracker is here for now: > https://github.com/SGNL-ai/transaction-tokens/issues > Atul > > >

Re: [OAUTH-WG] Call for adoption - Transaction Tokens

Not sure if I have formal right to vote, will just state that we are currently using something very similar internally, and will be looking forward to adopting a standards-based approach. BTW is there an issue tracker for this one? couldn't find links to GH etc. Thanks, Dmitry Backbase /

[OAUTH-WG] OAuth 2.0 for First-Party Native Applications + Step-Up

First of all, thanks to everyone who worked on this draft. (Aaron - special thanks for your time at OSW!). This is also to register our (Backbase) interest in contributing to the draft. Question on using FiPNA for step-up and similar cases; as long as cookies are not used in the native scenario,

Re: [OAUTH-WG] Proposed OAuth Security BCP text on the use of CORS

Hi all, In regards to the use cases for CORS in the Authorization endpoint - what about a SPA requesting a step-up reauthentication? Especially if it is "silent", e.g. initiating out-of-band authentication without the need for user interaction. Currently, we don't have too many options; it's

Re: [OAUTH-WG] OAuth2 Client Discovery

11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=4AhRuXZCnU5i3hcngo4H3UiNayYUtXpRcImV4slS1mw%3D=0> > > > This communication, including any attachments, is confidential. If you are &g

Re: [OAUTH-WG] OAuth2 Client Discovery

tial. If you are > not the intended recipient, you should not read it - please contact me > immediately, destroy it, and do not copy or use any part of this > communication or disclose anything about it. Thank you. Please note that > this communication does not designate an informatio

Re: [OAUTH-WG] OAuth2 Client Discovery

Hello Tobias, thanks for the draft! In regards to prior art, I'd like to mention Solid Project and their OIDC flavor, Solid-OIDC: https://solid.github.io/solid-oidc/#clientids-document They're using a similar approach (and have been for years), though with some differences: - client_id points to

Re: [OAUTH-WG] DPoP questions (post IETF 115), part 2

don't know specifics around conformance but I think that DPoP is being > worked on or planned with the FAPI 2.0 tests. > > > > > On Mon, Nov 14, 2022 at 5:42 PM Dmitry Telegin 40backbase@dmarc.ietf.org> wrote: > >> - DPoP and Step-Up (hello Brian :) >> >>

Re: [OAUTH-WG] DPoP questions (post IETF 115), part 1

Agreed on general guidance, will try to draft the text. Should I post it here first or go straight to GitHub? On Wed, Nov 16, 2022 at 1:49 PM Brian Campbell wrote: > > > On Mon, Nov 14, 2022 at 5:18 PM Dmitry Telegin 40backbase@dmarc.ietf.org> wrote: > >>

[OAUTH-WG] DPoP questions (post IETF 115), part 2

- DPoP and Step-Up (hello Brian :) TL;DR: can we use DPoP and Step-Up together? The question is probably more about understanding of the process rather than technical details. If I understand correctly, Step-Up is meant to amend/extend RFC 6750. Can we say that the features defined in Step-Up

[OAUTH-WG] DPoP questions (post IETF 115), part 1

Hi all, In regards to RSs supporting Bearer and DPoP simultaneously, would it make sense to include some examples of error responses? I'm asking because as an implementor, I had to do a lot of guesswork on how to properly form such responses (and more guesswork means more incompatible

Re: [OAUTH-WG] Tuesday side meeting agenda

Hello Rifaat, Are there plans to publish side meetings agendas/slides/recordings, for those who didn't manage to attend? Thanks, Dmitry On Tue, Nov 8, 2022 at 11:16 AM Rifaat Shekh-Yusef wrote: > The side meeting is at 2:00pm at Richmond 6. > > Regards, > Rifaat > > > On Tue, Nov 8, 2022 at

Re: [OAUTH-WG] DPoP - Impementations

Hello Rifaat, Hope it's not too late to include the following. Keycloak: https://www.keycloak.org/ DPoP status: work in progress (tentatively Keycloak 22) Solid Project: https://solidproject.org/ DPoP status: DPoP is essential for Solid-OIDC and is required by the specification

[OAUTH-WG] DPoP and OpenID Connect

Could we somehow clarify the relationship between DPoP and OIDC? (sorry if this is the wrong ML) For example, it's relatively obvious that the OIDC UserInfo should support DPoP, as it is an OAuth 2.0 protected resource. What's not obvious is that the WWW-Authenticate challenge (in case of 401)

[OAUTH-WG] DPoP + Token Revocation

Could we perhaps be a little bit more specific on the relationship between DPoP and OAuth 2.0 Token Revocation (RFC 7009)? I believe that if we constrain *some* token lifecycle events (issuance, refresh), we should constrain *all*, revocation included (please correct me if I'm wrong). There seem

[OAUTH-WG] Proposed changes to RFC 8705 (oauth-mtls)

There following changes to RFC 8705 have been proposed: - introduce a new error code (e.g. "invalid_mtls_certificate") to be used when the certificate is required by the AS/RS, but the underlying stack has been misconfigured and the client didn't send one; - for bound token use, change

[OAUTH-WG] DPoP and MTLS - friends or foes?

As an implementer of one binding mechanism (DPoP) for the AS (Keycloak) that already features another (MTLS), I'm running into the question whether we should allow those two to be used simultaneously (which could be of course extrapolated to other hypothetical mechanisms). By "simultaneously" I

Re: [OAUTH-WG] RFC 8705 (oauth-mtls): RS error code for missing client certificate

o propose an update as an individual > draft to the group here. > > -Justin > ____ > From: Dmitry Telegin [dmit...@backbase.com] > Sent: Wednesday, November 10, 2021 1:34 PM > To: Justin Richer > Cc: oauth > Subject: Re: [OAUTH-WG] RFC 8705

Re: [OAUTH-WG] [DPoP] Order of validation for DPoP proofs and access tokens

It's really just an implementation choice, I think. > > On Wed, Oct 27, 2021 at 7:17 AM Dmitry Telegin 40backbase@dmarc.ietf.org> wrote: > >> Any updates on this one? As of -04 we have a clear distinction between >> "error=invalid_token" and "error=

Re: [OAUTH-WG] RFC 8705 (oauth-mtls): RS error code for missing client certificate

> up the token presentation. > > — Justin > > On Nov 10, 2021, at 10:17 AM, Dmitry Telegin < > dmitryt=40backbase@dmarc.ietf.org> wrote: > > Any updates on this one? The missing certificate case looks more like > "invalid_request" to me: > > inval

Re: [OAUTH-WG] RFC 8705 (oauth-mtls): RS error code for missing client certificate

ore than one method for including an access > token, or is otherwise malformed. The resource server SHOULD > respond with the HTTP 400 (Bad Request) status code. > > On Fri, Sep 24, 2021 at 2:23 AM Dmitry Telegin wrote: > From the document: > >The prot

[OAUTH-WG] DPoP and OAuth2 extensions

The draft currently focuses on DPoP support in Authorization endpoint and Token endpoint (authorization code grant + refresh token grant). The concept, however, could be extrapolated to several other endpoints, grant types and OAuth2 extensions: - ROPC (RFC 6749 section 1.3.3); - OAuth 2.0 Token

[OAUTH-WG] DPoP - access token hash format

As of -03, the "ath" DPoP proof claim has been introduced: ath: hash of the access token (REQUIRED). The value MUST be the result of a > base64url encoding (with no padding) the SHA-256 hash of the ASCII encoding > of the associated access token's value. > OpenID Connect has a similar concept

Re: [OAUTH-WG] [DPoP] Order of validation for DPoP proofs and access tokens

f the "invalid_token" and "invalid_dpop_proof" should be signaled? Regards, Dmitry Backbase On Fri, Jul 30, 2021 at 6:37 PM Dmitry Telegin wrote: > Hello, > > When DPoP proof is used in conjunction with a token (protected resource > access; token refresh), what should be the order

[OAUTH-WG] DPoP and client registration metadata

For dynamically registered clients, there is currently no way to indicate the intention to use DPoP. Hence, it's completely up to the AS whether to enforce DPoP or not on such clients (for example, using client registration policies). Seems like there is no common approach here; for example, RFC

Re: [OAUTH-WG] [DPoP] Protected resource access and invalid DPoP proofs

in the document. I'll look to add > that, probably somewhere in section 7 > <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-03.html#name-protected-resource-access>, > in the next draft revision. > > > On Thu, Aug 5, 2021 at 8:50 AM Dmitry Telegin 40backbase@dmarc.ietf

[OAUTH-WG] RFC 8705 (oauth-mtls): RS error code for missing client certificate

>From the document: The protected resource MUST obtain, from its TLS implementation >layer, the client certificate used for mutual TLS and MUST verify >that the certificate matches the certificate associated with the >access token. If they do not match, the resource access attempt

[OAUTH-WG] DPoP 03 - access_token as a POST parameter + Bearer/DPoP multi-scheme protected resources

Hi, The Bearer Token Usage RFC allows for an access token to be passed as a body form-encoded parameter. With DPoP, this leads to ambiguity if a protected resource supports DPoP and Bearer schemes simultaneously, as per DPoP Section 7.2.

Re: [OAUTH-WG] [DPoP] Protected resource access and invalid DPoP proofs

Sorry, "Basic" should be "Bearer" obviously. Dmitry On Thu, Aug 12, 2021 at 12:02 AM Dmitry Telegin wrote: > Hi Brian, thanks for the response, > > On a related note, chapter 7.2 allows for protected resources supporting > Bearer and DPoP schem

Re: [OAUTH-WG] [DPoP] Protected resource access and invalid DPoP proofs

modate it in the document. I'll look to add > that, probably somewhere in section 7 > <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-03.html#name-protected-resource-access>, > in the next draft revision. > > > On Thu, Aug 5, 2021 at 8:50 AM Dmitry Telegin 40backbase

[OAUTH-WG] [DPoP] Protected resource access and invalid DPoP proofs

Hello, When a protected resource is accessed using DPoP proof + DPoP-bound access token, either of those could be invalid. Should we make distinction between these two cases? I.e. should the response always be a 401 Unauthorized with WWW-Authenticate: DPoP ... error="invalid_token"? or could we

[OAUTH-WG] [DPoP] Order of validation for DPoP proofs and access tokens

Hello, When DPoP proof is used in conjunction with a token (protected resource access; token refresh), what should be the order of validation of those? The draft doesn't mention this, and it's hard to deduce logically which should come first, since validation is mutual ("ath" DPoP claim vs.

[OAUTH-WG] DPoP and implicit/hybrid flows

Hi, The DPoP spec currently defines how to obtain a DPoP-bound token via token endpoint invocations (namely, authorization_code and refresh_token grants). But it is also possible to obtain access token prior to code-to-token exchange, via OAuth implicit/hybrid flows. Do we have any plans to

[OAUTH-WG] DPoP key rotation

Hi, I'm Dmitry Telegin, I'm currently working on DPoP implementation in Keycloak on behalf of my company, Backbase. Takashi Norimatsu of Hitachi supervises this process as the head of the Keycloak FAPI SIG. With the current DPoP design, once the keypair has been generated on the user agent