Re: [OAUTH-WG] Followup on draft-ietf-oauth-token-exchange-12.txt

2018-05-17 Thread Bill Burke
My personal opinion is that I'm glad this actor stuff is optional. For one, none of our users have asked for it and really only do simple exchanges. Secondly, the rules for who can exchange what for what is controlled and defined within our AS. Makes things a lot simpler on the client. I kind

Re: [OAUTH-WG] Followup on draft-ietf-oauth-token-exchange-12.txt

2018-05-17 Thread Rob Otto
+1 to this. Rob On Thu, 17 May 2018 at 13:10, Bill Burke wrote: > My personal opinion is that I'm glad this actor stuff is optional. > For one, none of our users have asked for it and really only do simple > exchanges. Secondly, the rules for who can exchange what for what

Re: [OAUTH-WG] Followup on draft-ietf-oauth-token-exchange-12.txt

2018-05-17 Thread Mike Jones
Moving the actor claim to a separate specification would only make things more complicated for developers. There already plenty of OAuth specs. Needlessly adding another one will only make related things harder to find. Just like in the JWT [RFC 7519] spec itself in which use of all the

Re: [OAUTH-WG] Followup on draft-ietf-oauth-token-exchange-12.txt

2018-05-17 Thread Bill Burke
This is an honest question: How important is the actor stuff to the players involved? Are people going to use it? IMO, its an edge case and I think more important areas, like external token exchange (realm to realm, domain to domain) are being neglected. I'm quite unfamiliar how consensus is

[OAUTH-WG] is updated guidance needed for JS/SPA apps?

2018-05-17 Thread Brock Allen
Much like updated guidance was provided with the "OAuth2 for native apps" RFC, should there be one for "browser-based client-side JS apps"? I ask because google is actively discouraging the use of implicit flow: https://github.com/openid/AppAuth-JS/issues/59#issuecomment-389639290 >From what I

Re: [OAUTH-WG] is updated guidance needed for JS/SPA apps?

2018-05-17 Thread Hannes Tschofenig
Hi Brock, there have been several attempts to start writing some guidance but so far we haven’t gotten too far. IMHO it would be great to have a document. Ciao Hannes From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brock Allen Sent: 17 May 2018 14:57 To: oauth@ietf.org Subject: