My understanding was that the scope of the discussion was limited to OAuth,
and does not cover OpenID Connect ID Tokens. With that in mind, I support
the recommendation to use the authorization code instead of the implicit
flow.
Aaron Parecki
aaronparecki.com
@aaronpk
On Wed, Nov 7, 2018 at 7:20 AM Joseph Heenan wrote:
> It may be worth slightly rewording 7.2 as it may encourage a growing
> misconception that all native apps must be public clients. With many
> devices now having embedded HSMs, we’ve seen increasing interest in mobile
> apps being dynamically
This description of the situation is an oversimplification. OpenID Connect
secures the implicit flow against token injection attacks by including the
at_hash (access token hash) in the ID Token, enabling the client to validate
that the access token was created by the issuer in the ID Token
Hi Mike,
I agree that OIDC hybrid flows offer additional security over the OAuth
implicit grant and are used in the wild. On my slides and in the initial
version of the new section, we had included the hybrid OIDC flows because of
their known token injection countermeasures.
I nevertheless
Hi everyone,
On 17/11/2018 13:07, Torsten Lodderstedt wrote:
>
>> The alternative, as you mentioned, is to not issue refresh tokens and do
>> token renewal the "same old way" via iframe with prompt=none, while still
>> using code flow.
> yes.
>
> Have you ever experienced issues with the
Here are the meeting minutes from the last IETF OAuth WG meeting from IETF#103:
https://datatracker.ietf.org/meeting/103/materials/minutes-103-oauth-00
Thanks to Chris & Mike for taking notes.
If you have comments, please let me know.
Ciao
Hannes
IMPORTANT NOTICE: The contents of this email
+1 to the suggestions that Vladimir raises; I've seen a fair number of
requests in the field for exactly that
Hans.
On Mon, Nov 19, 2018 at 10:59 AM Vladimir Dzhuvinov
wrote:
> On 17/11/2018 13:26, Torsten Lodderstedt wrote:
>
> To start with, the AS may use refresh token rotation in
I want to +1 this as well. This really got my attention as an impressive and
straightforward defense technique.
Jim
> On Nov 19, 2018, at 3:48 PM, Hans Zandbelt wrote:
>
> +1 to the suggestions that Vladimir raises; I've seen a fair number of
> requests in the field for exactly that
>
>
Hi all,
The authors of the OAuth Security Topics draft came to the conclusion that it
is not possible to adequately secure the implicit flow against token injection
since potential solutions like token binding or JARM are in an early stage of
adoption. For this reason, and since CORS allows
All,
As discussed during the meeting in Bangkok, we are starting a WGLC on the
Resource Indicators document:
https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-01
Please, review the document and provide feedback on any issues you see with
the document.
The WGLC will end on
You mean the binding between refresh tokens and sessions?
> Am 19.11.2018 um 11:03 schrieb Hans Zandbelt :
>
> +1 to the suggestions that Vladimir raises; I've seen a fair number of
> requests in the field for exactly that
>
> Hans.
>
>> On Mon, Nov 19, 2018 at 10:59 AM Vladimir Dzhuvinov
11 matches
Mail list logo
