Re: [OAUTH-WG] [EXT] Re: WGLC review of draft-ietf-oauth-security-topics-13

Hi Mike, > Wouldn't most RSs only trust access tokens from a single AS anyways? At the last OSW, there was broad agreement that this is typically the case. Otherwise, the mitigation that we suggested in the paper would not prevent the attack. > Would it be reasonable for the document to

Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

On Wed, Nov 27, 2019 at 3:31 AM Neil Madden wrote: > > That is true, but is IMO more of a hindrance than an advantage for a PoP > scheme. The very fact that the signature is valid at every RS is why you > need additional measures to prevent cross-RS token reuse. This downside of > signatures for

Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

> On 27 Nov 2019, at 19:19, Brian Campbell wrote: > >> On Wed, Nov 27, 2019 at 3:31 AM Neil Madden >> wrote: >> >> That is true, but is IMO more of a hindrance than an advantage for a PoP >> scheme. The very fact that the signature is valid at every RS is why you >> need additional

Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

On Tue, Nov 26, 2019 at 6:26 PM Richard Backman, Annabelle < richa...@amazon.com> wrote: > > That’s not directly attached to the access token. This means that every > RS has to know about DPoP. > > True, but you could avoid that by embedding the access token in the DPoP > proof (similar to

Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

 > On 27 Nov 2019, at 20:30, Richard Backman, Annabelle > wrote: >  > > That is true, but is IMO more of a hindrance than an advantage for a PoP > > scheme. The very fact that the signature is valid at every RS is why you > > need additional measures to prevent cross-RS token reuse. > The

Re: [OAUTH-WG] Additional WGLC review of OAuth 2.0 Security Best Current Practice by an AAD developer

On Thu, Nov 28, 2019 at 12:12:54AM +, Mike Jones wrote: > Please also add these WGLC comments that a Microsoft Azure Active Directory > (AAD) developer asked me to convey: > > > 1. In 4.12, "Authorization servers MUST determine based on their risk > assessment whether to issue refresh

[OAUTH-WG] Additional WGLC review of OAuth 2.0 Security Best Current Practice by an AAD developer

Please also add these WGLC comments that a Microsoft Azure Active Directory (AAD) developer asked me to convey: 1. In 4.12, "Authorization servers MUST determine based on their risk assessment whether to issue refresh tokens to a certain client [...]" I'm not sure what this requirement

Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

On 27 Nov 2019, at 01:26, Richard Backman, Annabelle wrote: > >  > > That’s not proof of possession, that’s just verifying a MAC. PoP requires > > the other party (client) to provide a fresh proof that they control a key. > > The client isn’t using any key in this case. > > I think we’re