[OAUTH-WG] New User-Managed Access (UMA) drafts

ative.org/confluence/display/uma/UMA+Implementations [2] https://tools.ietf.org/html/draft-maler-oauth-umagrant [3] https://tools.ietf.org/html/draft-maler-oauth-umafedauthz *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl ___ OAut

Re: [OAUTH-WG] Auth Server / Resource Server Coordination

/bcp190 <https://tools.ietf.org/html/bcp190>, but > I think it's a good source of inspiration) > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlg...@gmail.com ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Review of draft-ietf-tram-turn-third-party-authz-01

the two parties then they will certainly be a challenge to get this done securely. Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth mailing list OAuth

Re: [OAUTH-WG] Confirmation: Call for Adoption of OAuth Token Introspection as an OAuth Working Group Item

://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo

Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up)

https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman

Re: [OAUTH-WG] Comments on draft-richer-oauth-introspection-04

make sense? Should I go with it? -- Thomas Broyer /tɔ.ma.bʁwa.je/ ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756

Re: [OAUTH-WG] Refactoring Dynamic Registration

with this refactoring, I expect both documents to move in tandem through the RFC approval process. -- Justin Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com

Re: [OAUTH-WG] Charter- was Re: Client Instances of An Application - Was: Re: Last call review of draft-ietf-oauth-dyn-reg-10

portal. The only difference is that they don’t have to do out-of-band registration anymore! -- Mike Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl

Re: [OAUTH-WG] JWT - scope claim missing

://nat.sakimura.org/ @_nat_en ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler

Re: [OAUTH-WG] New Version Notification for draft-richer-oauth-introspection-02.txt

http://blog.facilelogin.com http://RampartFAQ.com ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756

Re: [OAUTH-WG] Concerning OAuth introspection

OPTIONAL And for the OAuth client information, it should be an optional parameter (in case it is a public client or client is authenticated with SSL mutual authentication). Please consider. ShiuFun Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756

Re: [OAUTH-WG] Client cannot specify the token type it needs

-- Thanks Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http

Re: [OAUTH-WG] Concerning OAuth introspection

@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756

Re: [OAUTH-WG] Concerning OAuth introspection

Rudely responding to myself: I'm not saying this approach should definitely be taken, just that it's a good idea to spend 15 minutes looking at the benefits and downsides of it vs. the current laser-focus approach. Eve On 23 Jan 2013, at 9:28 AM, Eve Maler e...@xmlgrrl.com wrote

Re: [OAUTH-WG] Concerning OAuth introspection

to imagine how much more benefit could potentially be gotten for free if we look at it through a pure-REST lens, not just with what's already been specified but the whole picture. +1 -- Todd From:Eve Maler e...@xmlgrrl.com To:Sergey Beryozkin sberyoz

Re: [OAUTH-WG] Client cannot specify the token type it needs

to register via the dynamic registration proposal the token types it supports and then the AS can use that data as a filtering mechanism when the client asks for a token. Thanks, George On 1/23/13 12:23 PM, Eve Maler wrote: FWIW, some of us have made a proposal for exactly this type

Re: [OAUTH-WG] OAuth 2.0 Resource Registration draft -- FW: New Version Notification for draft-hardjono-oauth-resource-reg-00.txt

On 28 Dec 2012, at 5:58 AM, Anganes, Amanda L aanga...@mitre.org wrote: Hi Eve and Thomas, On 12/27/12 8:11 PM, Eve Maler e...@xmlgrrl.com wrote: Amanda, thanks for the lightning-fast comments back. A couple of additional notes on top of Thomas's response: The scope type language

Re: [OAUTH-WG] OAuth 2.0 Resource Registration draft -- FW: New Version Notification for draft-hardjono-oauth-resource-reg-00.txt

Secretariat ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler

[OAUTH-WG] My earlier comments on the dyn client reg draft

that, eventually, the RP/IdP language from the OpenID Connect draft will need to be genericized. Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth

Re: [OAUTH-WG] New Version Notification for draft-richer-oauth-introspection-00.txt

to be supported without extra scaffolding. -- Justin \ Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth mailing list OAuth@ietf.org https

Re: [OAUTH-WG] New Version Notification for draft-richer-oauth-introspection-00.txt

://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman

Re: [OAUTH-WG] New Version Notification for draft-richer-oauth-introspection-00.txt

of tokens (Bearer, MAC, HOK) are going to have different types of metadata associated with them, probably, but there are a few core pieces (expiration, scopes) that would be common and useful. -- Justin On 11/29/2012 05:59 PM, Eve Maler wrote: Hi Justin-- Glad to see this moving forward

Re: [OAUTH-WG] Resource owner initiated OAuth delegation

directly show delegation to the Teacher and walk the child home. Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth mailing list OAuth@ietf.org

Re: [OAUTH-WG] Resource owner initiated OAuth delegation

___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl

Re: [OAUTH-WG] Resource owner initiated OAuth delegation

: Thursday, October 11, 2012 4:45 AM To: Eve Maler Cc: oauth@ietf.org WG Subject: Re: [OAUTH-WG] Resource owner initiated OAuth delegation Hi,Eve Having an RO literally being present to register a client operated by some third party still seems like an unnecessary constraint to me

Re: [OAUTH-WG] Resource owner initiated OAuth delegation

be ideal. Otherwise I suspect it's impractical in normal use. Eve On 9 Oct 2012, at 6:49 PM, zhou.suj...@zte.com.cn wrote: Hi，Prabath Prabath Siriwardena prab...@wso2.com 2012-10-09 20:35 收件人 zhou.suj...@zte.com.cn 抄送 Eve Maler e...@xmlgrrl.com, oauth@ietf.org, oauth-boun

Re: [OAUTH-WG] Resource owner initiated OAuth delegation

, 2012 at 3:20 PM, Eve Maler e...@xmlgrrl.com wrote: There are a number of implicit actions happening here that ideally should be accounted for. If Alice is the RO and Bob is operating the client, then when Bob accesses the protected resource it may not just be on Alice's behalf -- think of how

Re: [OAUTH-WG] Resource owner initiated OAuth delegation

corresponds to Client in OAuth, so it is still client initiated delegation, not what Prabath wants. Eve Maler e...@xmlgrrl.com 2012-10-11 06:54 收件人 Prabath Siriwardena prab...@wso2.com 抄送 zhou.suj...@zte.com.cn, oauth@ietf.org WG oauth@ietf.org 主题 Re: [OAUTH-WG] Resource owner

Re: [OAUTH-WG] Resource owner initiated OAuth delegation

/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl -- Thanks Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com Eve

Re: [OAUTH-WG] Resource owner initiated OAuth delegation

-- Thanks Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http

Re: [OAUTH-WG] Implementation Support and Community

OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth mailing list OAuth@ietf.org https

Re: [OAUTH-WG] Updated Charter to the IESG (this weekend)

and general AS-PR connection could be this group's fifth starting document. -- Justin Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth mailing list OAuth

Re: [OAUTH-WG] IIW and OAuth

.) ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl

Re: [OAUTH-WG] Dynamic Client Registration

/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Issue token for another user

be the identifier for the user Bob)? -David ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http

Re: [OAUTH-WG] OAuth 2.0 and Access Control Lists (ACL)

://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http

Re: [OAUTH-WG] Rechartering

list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth mailing list OAuth@ietf.org https

Re: [OAUTH-WG] Second Last Call: draft-hammer-hostmeta-16.txt (Web Host Metadata) to Proposed Standard -- feedback

any reason to generalise such a beast into a generic mechanism. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756

[OAUTH-WG] Fwd: [oauth] Good list of OAuth open source?

Zero response from the other list. Any suggestions from folks here? Begin forwarded message: From: Eve Maler e...@xmlgrrl.com Date: 20 June 2011 4:54:56 PM PDT To: oa...@googlegroups.com Subject: [oauth] Good list of OAuth open source? Reply-To: oa...@googlegroups.com The list at http

Re: [OAUTH-WG] Fwd: [oauth] Good list of OAuth open source?

Anyone knows if there is an open source OAuth2 server reference implementation that reflects the latest draft 16, and unit-tested against the security considerations in section 10? On Sat, Jun 25, 2011 at 1:02 AM, Eve Maler e...@xmlgrrl.com wrote: Zero response from the other list. Any

Re: [OAUTH-WG] Fwd: [oauth] Good list of OAuth open source?

Both are used in production. EHL -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eve Maler Sent: Friday, June 24, 2011 2:19 PM To: oauth WG Subject: Re: [OAUTH-WG] Fwd: [oauth] Good list of OAuth open source? Thanks, y'all

[OAUTH-WG] Looking for feedback on client-server OAuth usage

know who might be interested to respond. Thanks in advance, Eve Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth mailing list OAuth@ietf.org

Re: [OAUTH-WG] New Working Group Items?

. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth mailing list OAuth

Re: [OAUTH-WG] Feedback on preliminary draft 11 from implementers of draft 10

it as an IETF I-D soonish: http://kantarainitiative.org/confluence/display/uma/Working+Drafts Eve Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth

Re: [OAUTH-WG] Comparing the JSON Token drafts

___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth mailing list OAuth

Re: [OAUTH-WG] Basic signature support in the core specification

___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl ___ OAuth mailing list OAuth

[OAUTH-WG] Proposal for OAuth dynamic client registration

idsubmiss...@ietf.org Date: 10 August 2010 12:23:59 PM PDT To: e...@xmlgrrl.com Cc: c...@comlounge.net, m.p.machu...@ncl.ac.uk Subject: New Version Notification for draft-oauth-dyn-reg-v1-00 A new version of I-D, draft-oauth-dyn-reg-v1-00.txt has been successfully submitted by Eve Maler

Re: [OAUTH-WG] resource server id needed?

, how does UMA plan to address resource servers during the OAuth end-user authorization process? regards, Torsten. Am 29.07.2010 02:37, schrieb Eve Maler: Belatedly... Sorry if I sound like a broken record on this, but: Most of UMA's use involve letting a user introduce their various

Re: [OAUTH-WG] OAuth Protected feeds

...@cliqset.com ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog http://www.twitter.com/xmlgrrl http://www.linkedin.com/in/evemaler

Re: [OAUTH-WG] resource server id needed?

___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog http://www.twitter.com

Re: [OAUTH-WG] access grant terminology

://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog http://www.twitter.com/xmlgrrl http://www.linkedin.com/in/evemaler ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] What to do about 'realm'

___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog http://www.twitter.com/xmlgrrl http://www.linkedin.com/in/evemaler ___ OAuth mailing list OAuth@ietf.org https

Re: [OAUTH-WG] POLL: Are you going to Maastricht?

https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog http://www.twitter.com/xmlgrrl http://www.linkedin.com/in/evemaler ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Partially standardized format for access tokens?

___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler e...@xmlgrrl.com http

Re: [OAUTH-WG] [oauth] #6: Make automated self-registration of unique clients possible

purpose. So never mind. :) Eve Eve Maler e...@xmlgrrl.com http://www.xmlgrrl.com/blog ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Autonomous clients and resource owners (editorial)

is acting for itself (the client is also the resource owner). to something like: ...and autonomous flows where the client is acting on behalf of a different resource owner. Thanks, Eve On 21 Apr 2010, at 4:43 PM, Eve Maler wrote: Tacking this response to the end of the thread for lack

Re: [OAUTH-WG] Issue: 'username' parameter proposal

/listinfo/oauth Eve Maler e...@xmlgrrl.com http://www.xmlgrrl.com/blog ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Issue: 'username' parameter proposal

Thanks! On 21 Apr 2010, at 5:12 PM, Eran Hammer-Lahav wrote: This is part of the delegation flows so username should be just fine… EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eve Maler Sent: Wednesday, April 21, 2010 4:43 PM To: OAuth WG Subject

Re: [OAUTH-WG] 'Scope' parameter proposal

___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth Eve Maler e...@xmlgrrl.com http

Re: [OAUTH-WG] First draft of OAuth 2.0

Token (comparable to OpenID/OAuth hybrid). Anybody else interested? paul Eve Maler e...@xmlgrrl.com http://www.xmlgrrl.com/blog ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] What are the OAuth design principles?

for your use cases? The UMA principles might be able to inform how the OAuth WG makes its case for why Kerberos doesn't suffice. (If we discover it does, hey, our work here is done. :-) Eve Eve Maler e...@xmlgrrl.com http://www.xmlgrrl.com/blog

Re: [OAUTH-WG] First draft of OAuth 2.0

all have been discussing here. I hope that I haven't missed anyone who contributed to prior work and am happy to add other authors if I have (and they wish to be added)! Thanks, --David [1] http://www.ietf.org/mail-archive/web/oauth/current/msg01225.html Eve Maler e...@xmlgrrl.com

Re: [OAUTH-WG] First draft of OAuth 2.0

to the docs; this is fine for some features but not for very general ones that everybody needs to use. Eve Maler e...@xmlgrrl.com http://www.xmlgrrl.com/blog ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] First draft of OAuth 2.0

Selected thoughts in response: On 21 Mar 2010, at 3:51 PM, David Recordon wrote: Thanks! Comments inline and updated the repo (http://github.com/daveman692/OAuth-2.0/commit/3193098ff45168dd0a65456334428b20215f848a). On Sun, Mar 21, 2010 at 12:03 PM, Eve Maler e...@xmlgrrl.com wrote: David

Re: [OAUTH-WG] Dinner Sunday?

will be in Anaheim Sunday evening, but should we try to put a dinner together? 7pm-ish? Eve Maler e...@xmlgrrl.com http://www.xmlgrrl.com/blog ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Signatures, Why?

. This was a valuable thread. Perhaps someone could write up a summary of the points raised, either on the list or at the wiki? Peter Eve Maler e...@xmlgrrl.com http://www.xmlgrrl.com/blog ___ OAuth mailing list OAuth@ietf.org https

Re: [OAUTH-WG] Signatures, Why?

when requesting access tokens, or when using access tokens. On one side there are people who would prefer bearer tokens, and on the other side there are folks who want crypto in various bits of the protocol to meet different use cases. Cheers, Brian Eve Maler e...@xmlgrrl.com http

Re: [OAUTH-WG] Recent UMA work that may inform this group's deliberations

Thanks for your further feedback. Just a couple of comments back (eliding other portions of the thread): On 8 Mar 2010, at 2:21 PM, Dick Hardt wrote: On 2010-03-05, at 6:57 AM, Eve Maler wrote: 2c. Currently, WRAP doesn't say anything about how to fill the scope parameter value

Re: [OAUTH-WG] Recent UMA work that may inform this group's deliberations

as possible in preparation for Anaheim, ideally including specific guidance from those who have submitted the most sensitive UMA scenarios or have the biggest concerns. Eve On 4 Mar 2010, at 11:01 AM, Eve Maler wrote: Folks may be interested to see the following experiment being performed

[OAUTH-WG] FYI, UMA webinar followup

/Meetings+and+Minutes Eve Eve Maler e...@xmlgrrl.com http://www.xmlgrrl.com/blog ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Allowing Secrets in the Clear Over Insecure Channels

to have TLS as a MUST implement so that it's there if people want to use it.) +1 - johnk Eve Maler e...@xmlgrrl.com http://www.xmlgrrl.com/blog ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth