Re: [OAUTH-WG] Draft for “web_message” Response Mode - Asking For Feedback

entional? S pozdravem, *Filip Skokan* On Wed, 10 Jan 2024 at 09:37, Karsten Meyer zu Selhausen | Hackmanit wrote: Hello Filip, our draft covers and is compatible to what's called "simple mode" (both with and without prompt) in draft-sakimura-o

Re: [OAUTH-WG] Draft for “web_message” Response Mode - Asking For Feedback

ture is not the same as in draft-sakimura-oauth-wmrm. Is that an omission or intentional? S pozdravem, *Filip Skokan* On Wed, 10 Jan 2024 at 09:37, Karsten Meyer zu Selhausen | Hackmanit wrote: Hello Filip, our draft covers and is compatible to what's called "simple mode&qu

Re: [OAUTH-WG] Draft for “web_message” Response Mode - Asking For Feedback

think it would be very helpful for implementers and developers to specify a secure standard for a postMessage API-based response mode. Best regards, Karsten* * On 23.11.2023 10:11, Karsten Meyer zu Selhausen | Hackmanit wrote: Hi everyone, at the last OSW the

Re: [OAUTH-WG] Draft for “web_message” Response Mode - Asking For Feedback

e standard for a postMessage API-based response mode. Best regards, Karsten* * On 23.11.2023 10:11, Karsten Meyer zu Selhausen | Hackmanit wrote: Hi everyone, at the last OSW the topic of a response mode based on the postMessage API came up. This approach is already used by multiple parties (e.g

[OAUTH-WG] Draft for “web_message” Response Mode - Asking For Feedback

However, there have not been any changes to its contents. What are the plans of the authors for this draft? Best regards Karsten -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web:https://hackmanit.de | IT Security Consulting, Penetration Testing, Secu

Re: [OAUTH-WG] [External Sender] Re: Collective name for attacks on cross-device flows: Cross-Device Consent Phishing (CDCP)

please contact the sender and delete the material from your computer. ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web:

Re: [OAUTH-WG] audience parameter in client_credentials

Evert [1]: https://github.com/badgateway/oauth2-client ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web:

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-cross-device-security-01.txt

arsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web:https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Save the date: 11.-12.5.2023. Join us in celebrating the 5th anniversary of RuhrSec - the IT security conf

Re: [OAUTH-WG] redirect uri and portals

7.1-3.2.1> The referenced draft has, however, expired: https://www.ietf.org/archive/id/draft-bradley-oauth-jwt-encoded-state-09.txt Ciao Hannes -- Yannick Majoros Valuya sprl -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 W

Re: [OAUTH-WG] redirect uri and portals

hat stored information more than the redirect_uri, both needing validation anyway? Could be me, but I'm not seeing a solution for my problem yet. Le mar. 7 mars 2023 à 09:55, Karsten Meyer zu Selhausen a écrit : - In a context where all redirect URIs are under our control, how is pas

Re: [OAUTH-WG] redirect uri and portals

.org https://www.ietf.org/mailman/listinfo/oauth -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web:https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Save the date: 11.-12.5.2023. Join us in celebrating the

Re: [OAUTH-WG] Call for adoption: Cross-Device Flows

t OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web:https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training API security is crucial for secure modern applications. Learn w

Re: [OAUTH-WG] Certificate-bound refresh tokens and certificate expiration handling in case of the confidential clients

mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Regards and Best Wishes Jaimandeep Singh LinkedIn <http://www.linkedin.com/in/jaimandeep-singh-07834b1b7> ___ OAuth mailing list OAuth@ietf.org https://www.ietf.

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-iss-auth-resp-03.txt

internet-dra...@ietf.org: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Authorization Server Issuer Identification Authors : Karsten Meyer

Re: [OAUTH-WG] Secdir last call review of draft-ietf-oauth-iss-auth-resp-02

a consideration in the way that the rest of the section is. -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web:https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Is your OAuth or OpenID Connect application

Re: [OAUTH-WG] Artart last call partial review of draft-ietf-oauth-iss-auth-resp-02

; so section 6 should be deleted (if there were acksm they should go into an unnumbered section at the end of the document) We added missing Acks and moved them to the appendix. -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web:https://hackmanit.de | I

Re: [OAUTH-WG] [EXTERNAL] Rotating RTs and grace periods

%7C1000=CDskCHwXxJxGdmudTW33gUT5f3%2B835uZDxyNEmKkiFc%3D=0> Kind regards, Neil ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______ OAuth mailing list OAuth@ietf.org https://www.ietf.or

Re: [OAUTH-WG] AD review of draft-ietf-oauth-iss-auth-resp-02

org/mailman/listinfo/oauth -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web:https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Is your OAuth or OpenID Connect application vulnerable to mix-up attacks? Find o

Re: [OAUTH-WG] Shepherd writeup for draft-ietf-oauth-iss-auth-resp

https://www.ietf.org/mailman/listinfo/oauth -- https://danielfett.de ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web

Re: [OAUTH-WG] Doc Shepherd Review - OAuth 2.0 Authorization Server Issuer Identification

of the draft to allow me to progress it? Regards,  Rifaat On Mon, Sep 6, 2021 at 6:50 AM Karsten Meyer zu Selhausen <mailto:karsten.meyerzuselhau...@hackmanit.de>> wrote: Hi Rifaat, thank you for the shepherd's review. Those are valid comments. We will have a se

Re: [OAUTH-WG] IPR Disclosures - OAuth 2.0 Authorization Server Issuer Identification

lready been filed. Please, reply to this email on the mailing list and indicate if you are aware of any IPRs associated with this document. Regards,  Rifaat -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web:https://hackmanit.de | IT Se

Re: [OAUTH-WG] Doc Shepherd Review - OAuth 2.0 Authorization Server Issuer Identification

h mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web:https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Is your OAuth or OpenID Connect applic

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-iss-auth-resp-01.txt

Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol WG of the IETF. Title : OAuth 2.0 Authorization Server Issuer Identification Authors : Karsten Meyer zu Selhausen

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

no concerns. Regards,  Rifaat & Hannes On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen mailto:karsten.meyerzuselhau...@hackmanit.de>> wrote: Hi all, the latest version of the security BCP references draft-ietf-oauth-iss-auth-resp-00 as

[OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

the WG if there are any comments on or concerns with the current draft version. Otherwise I hope we can move forward with the next steps and hopefully finish the draft before/with the security BCP. Best regards, Karsten -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49

Re: [OAUTH-WG] Security of OAuth on Andriod [Was: Re: Token Mediating and session Information Backend For Frontend (TMI BFF)]

__ OAuth mailing list OAuth@ietf.org <mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Karsten Meyer

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-iss-auth-resp-00.txt

in Authorization Response Authors : Karsten Meyer zu Selhausen Daniel Fett Filename: draft-ietf-oauth-iss-auth-resp-00.txt Pages : 10 Date: 2021-01-06 Abstract: This document specifies a new parameter &quo

Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

aft-meyerzuselhausen-oauth-iss-auth-resp/> Please, provide your feedback on the mailing list by Dec 22nd. Regards,  Rifaat & Hannes ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -- Karsten Meyer zu Selhausen I

[OAUTH-WG] Fwd: New Version Notification for draft-meyerzuselhausen-oauth-iss-auth-resp-02.txt

Subject: New Version Notification for draft-meyerzuselhausen-oauth-iss-auth-resp-02.txt Date: Tue, 17 Nov 2020 03:42:02 -0800 From: internet-dra...@ietf.org To: Karsten zu Selhausen , Daniel Fett , Karsten Meyer zu Selhausen A new version of I-D, draft-meyerzuselhausen-oauth-iss-auth

[OAUTH-WG] Fwd: New Version Notification for draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt

Sun, 01 Nov 2020 23:31:42 -0800 From: internet-dra...@ietf.org To: Karsten Meyer zu Selhausen , Karsten zu Selhausen , Daniel Fett A new version of I-D, draft-meyerzuselhausen-oauth-iss-auth-resp-01.txt has been successfully submitted by Karsten Meyer zu Selhausen and posted to

[OAUTH-WG] New draft: Mix-up prevention - adding "iss" parameter to the authorization response

;mix-up" attacks. The need for a proper specification of the "iss" parameter was discussed in this thread: https://mailarchive.ietf.org/arch/msg/oauth/DQR2ZXtGKfa-8UGtuPYyZoAaBIc/ Best regards, Karsten -- Karsten Meyer zu Selhausen IT Security Consultant Phone: +49 (0)234 / 544564

Re: [OAUTH-WG] [EXTERNAL] Re: Mix-Up Revisited

at 08:20, Karsten Meyer zu Selhausen >> wrote: >> >> Hi all, >> >> I think we all agree that proper countermeasures of mix-up attacks should >> definitely be part of the BCP and 2.1 due to the severe impact successful >> mix-up attacks have. >&

Re: [OAUTH-WG] WGLC on Pushed Authorization Requests draft

ocument: > https://www.ietf.org/id/draft-ietf-oauth-par-03.html > > Please, take a look and provide feedback on the list by *August 25th.* > > Regards, >  Rifaat & Hannes > > > ___ > OAuth mailing list > OAuth@ietf.org &

Re: [OAUTH-WG] [EXTERNAL] Re: Mix-Up Revisited

tf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > */CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohi

[OAUTH-WG] Comments on draft-ietf-oauth-v2-1-00 (The OAuth 2.1 Authorization Framework)

authorization request to and bind this information to the user agent and check that the authorization request was received from the correct authorization server." -> "Clients MUST store the authorization server they sent an authorization request to and bind this information to the user a

[OAUTH-WG] OAuth 2.0 Security Best Current Practice | Issue in Mix-Up Countermeasure

in the BCP (adding an AS identifier and the client_id of the intended recipient to AS's responses) should be used to prevent Mix-Up attacks. If the involved entities use the OIDC hybrid flow this countermeasure is automatically applied. Do we miss anything? Or what is your opinion about this? B