Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I too have these open questions: https://mailarchive.ietf.org/arch/msg/oauth/NLj-xnAZ4BtFs9z62OzCro4xxoc/ But I hope they are answered as the draft progresses in the WG. On Wed, Sep 6, 2023 at 7:08 AM Brian Campbell wrote: > I did have a few unanswered comments/questions on the draft >

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I did have a few unanswered comments/questions on the draft https://mailarchive.ietf.org/arch/msg/oauth/LA6sqNOV98D7wP44p2Hl6dpSmtg/ that hopefully can be addressed as it progresses. On Wed, Sep 6, 2023 at 5:50 AM Rifaat Shekh-Yusef wrote: > All, > > Based on the responses on this thread, we

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

All, Based on the responses on this thread, we declare the *Protected Resource Metadata* draft adopted as a WG document. Authors, Feel free to submit a WG document at your convenience. Regards, Rifaat & Hannes On Mon, Aug 28, 2023 at 5:28 AM Takahiko Kawasaki wrote: > I support adoption.

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

Hi all, I have a couple of questions about the OPRM draft. 1. If I have a resource server that has multiple endpoints, each of which require different scopes, how should those be handled? For example, in the SSF spec, the SSF Transmitter has a Create Stream endpoint and a Polling

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption. In the past, when considering the encryption of JWT access tokens, I learned that the draft regarding the metadata of the resource server had expired, which was disappointing. For an authorization server to encrypt an access token with an asymmetric algorithm, it must obtain a

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

+1 Am 28.08.23 um 10:33 schrieb Joseph Heenan: I support adoption. Joseph On 23 Aug 2023, at 20:01, Rifaat Shekh-Yusef wrote: All, This is an official call for adoption for the *Protected Resource Metadata* draft: https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption. Joseph > On 23 Aug 2023, at 20:01, Rifaat Shekh-Yusef wrote: > > All, > > This is an official call for adoption for the Protected Resource Metadata > draft: > https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/ > > Please, reply on the mailing list and

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

Right. It’s worth noting that many endpoints already publish similar metadata via OpenAPI (Swagger) API descriptions.NeilOn 27 Aug 2023, at 19:42, Dick Hardt wrote:For many resources, the information is already disclosed. What is excessive to you might be crucial to others -- and my use case,

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

For many resources, the information is already disclosed. What is excessive to you might be crucial to others -- and my use case, the disclosure is crucial. Extrapolating your basis for objecting, that another endpoint provides additional attack surface, we would not do ANY new endpoints or

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

Hi Dick, My previous emails do not even obliquely refer to security by obscurity. It is about design patterns and excessive information disclosure. Regards Jaimandeep Singh On Sat, 26 Aug, 2023, 8:27 pm Dick Hardt, wrote: > Jaimandeep: Do I understand your objection to adoption is that

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

The security reason for exclusion of error codes and other information is that the data helps the attacker subvert the app. I continue my attempt to avoid helping the attacker. thx ..Tom (mobile) On Sat, Aug 26, 2023, 7:58 AM Dick Hardt wrote: > Jaimandeep: Do I understand your objection to

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

Jaimandeep: Do I understand your objection to adoption is that providing a resource discovery endpoint increases the attack surface as an attacker gains knowledge about the resource? If I understand that correctly, then you are suggesting security through obscurity. As mentioned by Aaron, there

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

Hi Aaron, Thx for your suggestions. I have reviewed the recordings and I would suggest following: 1. Design Consideration: The two components of the OAuth 2.0 ecosystem authorization server (step 1) and protected resource server (step 2) may appear independent, but from systems perspective there

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

Hi Jaimandeep, As with many OAuth extensions, this is not obligatory to implement unless you need the functionality it provides. Many of the concerns you mention are referenced in the security considerations section of the draft already, and we would of course be happy to further expand that

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption On Aug 23, 2023, at 3:01 PM, Rifaat Shekh-Yusef wrote: All, This is an official call for adoption for the Protected Resource Metadata draft: https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/ Please, reply on the mailing list and let us know if

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I do not support the adoption because of following: 1. Increased Attack Surface and Information Disclosure: The proposed draft inherently expands the attack surface by allowing the retrieval of detailed information about the protected resources held with a particular resource server, as outlined

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption. > On 23 Aug 2023, at 20:02, Rifaat Shekh-Yusef wrote: > >  > All, > > This is an official call for adoption for the Protected Resource Metadata > draft: > https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/ > > Please, reply on the mailing list and let

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption On Fri, Aug 25, 2023 at 5:09 PM John Bradley wrote: > I support addoption > > On Aug 23, 2023, at 3:01 PM, Rifaat Shekh-Yusef > wrote: > > All, > > This is an official call for adoption for the *Protected Resource > Metadata* draft: >

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support addoption > On Aug 23, 2023, at 3:01 PM, Rifaat Shekh-Yusef > wrote: > > All, > > This is an official call for adoption for the Protected Resource Metadata > draft: > https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/ > > Please, reply on the mailing list and

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption too24 aug. 2023 kl. 08:31 skrev Vladimir Dzhuvinov : I support adoption. Vladimir Dzhuvinov On 23/08/2023 20:01, Rifaat Shekh-Yusef wrote: All, This is an official call for adoption for

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption. Vladimir Dzhuvinov On 23/08/2023 20:01, Rifaat Shekh-Yusef wrote: All, This is an official call for adoption for the *Protected Resource Metadata* draft: https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/ Please, reply on the mailing list and let us

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption > On Aug 23, 2023, at 11:44 PM, Aaron Parecki > wrote: > > I support adoption. > > Aaron > > > On Wed, Aug 23, 2023 at 8:02 PM Rifaat Shekh-Yusef > wrote: >> All, >> >> This is an official call for adoption for the Protected Resource

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

or disclose anything about it. Thank you. Please note that > this communication does not designate an information system for the > purposes of the Electronic Transactions Act 2002. > > > > *From: *OAuth on behalf of Heather Flanagan < > h...@sphericalcowconsulting.com> >

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption. Aaron On Wed, Aug 23, 2023 at 8:02 PM Rifaat Shekh-Yusef wrote: > All, > > This is an official call for adoption for the *Protected Resource > Metadata* draft: > https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/ > > Please, reply on the mailing list and

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

st 2023 at 10:51 AM To: Steinar Noem , oauth Subject: Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata EXTERNAL EMAIL: This email originated outside of our organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe. Hi all,

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

Hi all, I have to chime in on this one. +1 to supporting it for adoption! -Heather > On Aug 23, 2023, at 3:46 PM, Steinar Noem wrote: > > I support adoption > > ons. 23. aug. 2023 kl. 20:03 skrev Rifaat Shekh-Yusef > mailto:rifaat.s.i...@gmail.com>>: >> All, >> >> This is an official call

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption ons. 23. aug. 2023 kl. 20:03 skrev Rifaat Shekh-Yusef < rifaat.s.i...@gmail.com>: > All, > > This is an official call for adoption for the *Protected Resource > Metadata* draft: > https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/ > > Please, reply on the

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption. Nicole ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption Mike Prorock CTO - mesur.io On Wed, Aug 23, 2023, 16:21 Giuseppe De Marco wrote: > Hi, > I support the adoption. > > Il mer 23 ago 2023, 21:02 Rifaat Shekh-Yusef ha > scritto: > >> All, >> >> This is an official call for adoption for the *Protected Resource >> Metadata*

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

Hi, I support the adoption. Il mer 23 ago 2023, 21:02 Rifaat Shekh-Yusef ha scritto: > All, > > This is an official call for adoption for the *Protected Resource > Metadata* draft: > https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/ > > Please, reply on the mailing list and

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption From: OAuth On Behalf Of Rifaat Shekh-Yusef Sent: Wednesday, August 23, 2023 8:02 PM To: oauth Subject: [OAUTH-WG] Call for adoption - Protected Resource Metadata All, This is an official call for adoption for the Protected Resource Metadata draft:

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

> *To:* Rifaat Shekh-Yusef > *Cc:* oauth > *Subject:* Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata > > I support adoption. > > On Wed, Aug 23, 2023 at 12:02 PM Rifaat Shekh-Yusef < > rifaat.s.i...@gmail.com> wrote: > > All, > > This is

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption. -- Mike From: OAuth on behalf of Dick Hardt Sent: Wednesday, August 23, 2023 8:09:46 PM To: Rifaat Shekh-Yusef Cc: oauth Subject: Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata I support adoption. On Wed, Aug 23, 2023

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

I support adoption. On Wed, Aug 23, 2023 at 12:02 PM Rifaat Shekh-Yusef wrote: > All, > > This is an official call for adoption for the *Protected Resource > Metadata* draft: > https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/ > > Please, reply on the mailing list and let us