:-)
Ursprüngliche Nachricht
Von: Thomas Broyer <t.bro...@gmail.com>
Gesendet: Saturday, April 23, 2016 10:46 PM
An: Torsten Lodderstedt <tors...@lodderstedt.net>,Guido Schmitz
<g.schm...@gtrs.de>,oauth@ietf.org
Betreff: Re: [OAUTH-WG] State Leakage Attack
>
Hi Daniel,
how is the attackers supposed to utilise the leaked state value? I would assume
the legit client binds it to a certain user agent, e.g. via the session
context, which is not available to the attacker.
best regards,
Torsten.
Originalnachricht
Betreff: Re:
>,Torsten Lodderstedt
<tors...@lodderstedt.net>
Cc: oauth@ietf.org
>Hi Torsten,
>
>On 04/19/2016 12:34 AM, Brian Campbell wrote:
>>
>> I felt some consensous around the topic that in the end, there must be
>> normative chances to the core protocol and the respe
(IDM)" <phil.h...@oracle.com>
An: Mike Jones <michael.jo...@microsoft.com>
Cc: Torsten Lodderstedt <tors...@lodderstedt.net>,oauth@ietf.org
>I believe all we need is a new draft that deals with the new "dynamic/mix-up"
>cases as these were not considered i
.
Originalnachricht
Betreff: Re: [OAUTH-WG] Fwd: New Version Notification for
draft-campbell-oauth-resource-indicators-01.txt
Von: Brian Campbell <bcampb...@pingidentity.com>
An: Torsten Lodderstedt <tors...@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
>Sorry for the slow
I meant William - sorry!
Originalnachricht
Betreff: Re: [OAUTH-WG] Authentication Method Reference Values: Call for
Adoption Finalized
Von: Torsten Lodderstedt <tors...@lodderstedt.net>
An: William Denniss <wdenn...@google.com>,Mike Jones
<michael.jo...@mi
I basically support adoption of this document. Asserting authentication methods
in access tokens (in this case in JWTS format) is reasonable. We use it to pass
information about the authentication performed prior issuing an access token to
the _resource_ server.
What worries me is the back
Reference Values: Call for
Adoption Finalized
Von: John Bradley <ve7...@ve7jtb.com>
An: tors...@lodderstedt.net
Cc: roland.hedb...@umu.se,oauth@ietf.org
>This is not a issue between oauth and OIDC.
>
>This has to do with the registry for JWT being in OAuth. Many protocols that
>
.jo...@microsoft.com>
An: tors...@lodderstedt.net,John Bradley <ve7...@ve7jtb.com>
Cc: oauth@ietf.org
>The context that most people on this thread probably don’t have is that an
>IANA registry can only be established by an RFC. Non-RFC specifications, such
>as OpenID specific