I think it can be as simple as:
SHOULD NOT use refresh tokens without client authentication or key proof of
some kind.
In other words, no bearer refresh tokens.
— Justin
On Jul 19, 2019, at 7:49 PM, Aaron Parecki
mailto:aa...@parecki.com>> wrote:
So what I'm hearing in this thread is
I believe that access tokens and any refresh token policy should be guided by
the user authentication process and session lifetime policy of the AS.
There’s a case to be made that whether someone gets access to my access token
directly or a refresh token that allows someone to grant a new
Hi Brian!
From: Brian Campbell [mailto:bcampb...@pingidentity.com]
Sent: Friday, July 19, 2019 2:02 PM
To: Roman Danyliw
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02
Thanks Roman,
I'm attempting to bring this thread and our private exchanges
Hi all, I'm looking forward to the discussion on this on Tuesday!
I wanted to add my thoughts on a potential addition to this draft,
specifically around returning some minimal user information in the
transaction response.
The summary of the suggestion is to return a new "user" key along with the
So what I'm hearing in this thread is essentially that:
1) depending on how it's implemented, using a refresh token in a SPA can
provide security benefits over using only access tokens
2) it is still "dangerous" to allow refresh tokens to be used without
client authentication
3) if there is a way
Thanks Roman,
I'm attempting to bring this thread and our private exchanges together
(sorry again that it ended up that way) and make sure we are on the same
page about the path forward before I start down that path.
Yes, your assessment below is correct. And yes I think the changes you
proposed
On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba wrote:
> >> and I trust the authors and responsible AD to do the right thing.
> >
> > I always endeavor to do the right thing.
>
> You do; hence, the trust. :-)
>
I do appreciate that, thank you.
> And thanks for the quick responses.
>
I try. To
Barry, thanks for the review, ballot position and comments. Please see
inline below for my replies to the latter.
On Thu, Jul 18, 2019 at 3:06 PM Barry Leiba via Datatracker <
nore...@ietf.org> wrote:
> Barry Leiba has entered the following ballot position for
>
Annabelle,
Go ahead and prepare slides to cover this topic, and I will try to squeeze
it in.
Regards,
Rifaat
On Wed, Jul 17, 2019 at 2:28 PM Richard Backman, Annabelle <
richa...@amazon.com> wrote:
> I’m coming in late to this party, but I’ve been asked by a few people
> about how AWS
I'd also be interested.
On Wed, Jul 17, 2019 at 12:47 PM Mike Jones wrote:
> I’d be interested in hearing that presentation – particularly the
> “lessons” part.
>
>
>
>-- Mike
>
>
>
> *From:* OAuth *On Behalf Of * Richard Backman,
>
10 matches
Mail list logo