Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns

I agree that without a tight binding between the RS and AS we need to revisit RS meta-data. It is a can of worms however. On 4/17/2020 2:39 PM, Torsten Lodderstedt wrote: > I think the same is already true for mTLS. Solving it in an > interoperable way would require some metadata about RS and

Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns

I think the same is already true for mTLS. Solving it in an interoperable way would require some metadata about RS and their requirements re mTLS/DPoP. Shall we revitalize the idea of RS metadata? > Am 17.04.2020 um 17:37 schrieb George Fletcher > : > >  This brings up interesting rollout

Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns

This brings up interesting rollout questions. Protecting just the refresh_token is easy and a useful security measure (especially if access tokens are short lived). However, once you start issuing DPoP bound access tokens to a client, it means ALL the endpoints that client invokes MUST

Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns

I completely agree Justin, as mentioned - i wondered a year ago, I don't anymore. But i'd like it to be clear that sending a DPoP proof does not necessarily mean the AS MUST issue a DPoP access token. Depending on the AS/RS relationship and configuration a regular Bearer may be still be issued and

Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns

The idea of “Continuing to work without taking advantage of sender constraints” is, I would argue, a security hole. Systems are allowed to fail security checks but still offer functionality. This is exactly the pattern behind allowing an unsigned JWT because you checked the “alg" header and it

Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns

Thanks Filip for the replies. I'll add this to the growing list of todos for a coming revision of the draft. On Thu, Apr 16, 2020 at 2:06 AM Filip Skokan wrote: > I'm still somewhat on the fence as to the pros and cons of using a new >> token type and authorization scheme. But the draft has

Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns

> > I'm still somewhat on the fence as to the pros and cons of using a new > token type and authorization scheme. But the draft has gone with a new one. > Would it have really helped this situation, if it'd stuck with "bearer"? Or > would it just be less obvious? > If we had stuck "bearer" than i

Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns

Hi Filip, My attempts at responses to your questions/comments are inline: On Tue, Apr 14, 2020 at 2:14 AM Filip Skokan wrote: > I've wondered about the decision to use a new scheme before > > but > this time i'd like

[OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns

I've wondered about the decision to use a new scheme before but this time i'd like to challenge the immediate usability of the future spec for one specific case - sender constraining public client Refresh Tokens. If at