Re: [OAUTH-WG] Microsoft feedback on DPoP during April 2020 IIW session

On Fri, May 01, 2020 at 02:29:02AM +, Mike Jones wrote: > * Is the DPoP signature really needed when requesting a bound token? It > seems like the worst that could happen would be to create a token bound to a > key you don't control, which you couldn't use. Daniel expressed concern >

Re: [OAUTH-WG] Microsoft feedback on DPoP during April 2020 IIW session

Thanks Mike for sharing this summary of what sounds like it was a valuable discussion. I'm sorry that I wasn't "at" IIW so wasn't able to participate in the session. I will endeavor to incorporate the open issues into the presentation on DPoP for the virtual interim on Monday

Re: [OAUTH-WG] Microsoft feedback on DPoP during April 2020 IIW session

To add: there was discussion was whether the “htu" parameter should contain scheme/host/port/path, or just scheme/host/port. Dmitri indicated that it would aid their implementation to have the path eliminated. During JTI scale discussions, it was pointed out that some implementations may have

[OAUTH-WG] Microsoft feedback on DPoP during April 2020 IIW session

Daniel Fett and David Waite (DW) hosted a great session on OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) at the virtualized IIW this week. Attendees also included