Re: [OAUTH-WG] State Leakage Attack

:-) Ursprüngliche Nachricht Von: Thomas Broyer <t.bro...@gmail.com> Gesendet: Saturday, April 23, 2016 10:46 PM An: Torsten Lodderstedt <tors...@lodderstedt.net>,Guido Schmitz <g.schm...@gtrs.de>,oauth@ietf.org Betreff: Re: [OAUTH-WG] State Leakage Attack >

Re: [OAUTH-WG] State Leakage Attack

Hi Daniel, how is the attackers supposed to utilise the leaked state value? I would assume the legit client binds it to a certain user agent, e.g. via the session context, which is not available to the attacker. best regards, Torsten. Originalnachricht Betreff: Re:

Re: [OAUTH-WG] Meeting Minutes

>,Torsten Lodderstedt <tors...@lodderstedt.net> Cc: oauth@ietf.org >Hi Torsten, > >On 04/19/2016 12:34 AM, Brian Campbell wrote: >> >> I felt some consensous around the topic that in the end, there must be >> normative chances to the core protocol and the respe

Re: [OAUTH-WG] OAuth 2.1

(IDM)" <phil.h...@oracle.com> An: Mike Jones <michael.jo...@microsoft.com> Cc: Torsten Lodderstedt <tors...@lodderstedt.net>,oauth@ietf.org >I believe all we need is a new draft that deals with the new "dynamic/mix-up" >cases as these were not considered i

Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-resource-indicators-01.txt

. Originalnachricht Betreff: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-resource-indicators-01.txt Von: Brian Campbell <bcampb...@pingidentity.com> An: Torsten Lodderstedt <tors...@lodderstedt.net> Cc: oauth <oauth@ietf.org> >Sorry for the slow

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

I meant William - sorry! Originalnachricht Betreff: Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized Von: Torsten Lodderstedt <tors...@lodderstedt.net> An: William Denniss <wdenn...@google.com>,Mike Jones <michael.jo...@mi

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

I basically support adoption of this document. Asserting authentication methods in access tokens (in this case in JWTS format) is reasonable. We use it to pass information about the authentication performed prior issuing an access token to the _resource_ server. What worries me is the back

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

Reference Values: Call for Adoption Finalized Von: John Bradley <ve7...@ve7jtb.com> An: tors...@lodderstedt.net Cc: roland.hedb...@umu.se,oauth@ietf.org >This is not a issue between oauth and OIDC. > >This has to do with the registry for JWT being in OAuth. Many protocols that >

Re: [OAUTH-WG] Authentication Method Reference Values: Call for Adoption Finalized

.jo...@microsoft.com> An: tors...@lodderstedt.net,John Bradley <ve7...@ve7jtb.com> Cc: oauth@ietf.org >The context that most people on this thread probably don’t have is that an >IANA registry can only be established by an RFC. Non-RFC specifications, such >as OpenID specific