On Tue, Aug 11, 2020 at 02:35:20PM -0600, Brian Campbell wrote:
> I also suspect the Jwsreq authors won't respond to this and the
> request/suggestion will be ignored. Which is discouraging. I realize it's
> late in the process for this document but it's been in IESG Evaluation
> since early 2017.
I also suspect the Jwsreq authors won't respond to this and the
request/suggestion will be ignored. Which is discouraging. I realize it's
late in the process for this document but it's been in IESG Evaluation
since early 2017. And the recent ballot comments
Behalf Of Brian Campbell
Sent: Thursday, July 23, 2020 1:30 PM
To: dba...@leastprivilege.com
Cc: oauth
Subject: [EXTERNAL] Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client
authentication JWT
In hindsight, yeah, having explicit JWT typing everywhere would be nice.. But
retrofitting would be a very
In hindsight, yeah, having explicit JWT typing everywhere would be nice..
But retrofitting would be a very major undertaking, which I don't think
could reasonably be justified considering cost–benefit.
I can't speak directly for the Jwsreq authors but I suspect considerations
around
Good point. Thanks, Brian.
We should retrofit typs everywhere..in hindsight.
———
Dominick Baier
On 22. July 2020 at 23:55:20, Brian Campbell (bcampb...@pingidentity.com)
wrote:
Because it wouldn't actually prevent it in this case due to JWT assertion
client authentication (a.k.a.
Even more. Jwsreq should have it. But the authors decided against it.
———
Dominick Baier
On 23. July 2020 at 07:38:04, Dominick Baier (dba...@leastprivilege.com)
wrote:
Good point. Thanks, Brian.
We should retrofit typs everywhere..in hindsight.
———
Dominick Baier
On 22. July 2020 at
Because it wouldn't actually prevent it in this case due to JWT assertion
client authentication (a.k.a. private_key_jwt) having come about well
before the JWT BCP and the established concept of using the 'typ' header to
prevent cross-JWT confusion. Thus there's no validation rule regarding the
Why not use a typ header as suggested by the JWT BCP?
———
Dominick Baier
On 22. July 2020 at 17:37:41, Brian Campbell (
bcampbell=40pingidentity@dmarc.ietf.org) wrote:
The TL;DR here is a somewhat tentative suggestion that a brief security
consideration be added to
The TL;DR here is a somewhat tentative suggestion that a brief security
consideration be added to
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ that prohibits
the inclusion of a 'sub' claim containing the client id value in the
request object JWT so as to prevent the request object JWT
