* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Oauth Status Pages

Web Authorization Protocol (Active WG)
Sec Area: Roman Danyliw, Benjamin Kaduk | 2009-May-13 —  

IETF-104 oauth minutes

Session 2019-03-25 1610-1810: Athens/Barcelona - Audio stream - oauth chatroom
Session 2019-03-28 0900-1030: Berlin/Brussels - Audio stream - oauth chatroom


minutes-104-oauth-00 minutes

          Thanks to Tony Nadalin for the minutes.
          * Chairs Update – Hannes & Rifaat (10 min)
          Overview of agenda and current drafts that are in play. Dick Hardt
          switched jobs and need to find out what is going on with the Distributed
          Oauth. Device flow has had an update but William is not here, there
          was discussions at the Oauth Security Workshop that will make it
          into a new draft. JWT BCP is with AD and all area feedback has been
          incorporated. Brian needs to update Token-Exchange
          Reminder that there are conference calls every 2 week, please join if
          you want to discuss anything.
          * Security Topics & JWT Introspection - Torsten (45 min)
          Its an update to the Threat Model and Security Considerations documents
          and also the Oauth 2.0 Security Considerations documents.
          What has happened since last meeting, 4 revisions?
                  Limit usage of implicit grant.
                  More text of refresh tokens, refined the attack model
                  Not done yet.
                          Grant type PSWD to be deprecated – call in room showed
                          in favor 10 none against
                                  Need to provide alternatives to lots of folks
                                  using this grant
                          Move to public key crypto for authentication - call in
                          room showed in favor8 none against
                          PKCE is now mandatory and also frees up STATE back to
                          application. call in room showed in favor 8 none against
          Recommend PKCE more S256 over NONE - call in room showed in favor 10
          none against
                  There is another SPA specification but not yet completed.
                  Discussion over the if there was a consensus call to deprecating
                  the implicit flow, Mike says there was not a call, others say
                  there was, so Chairs to take this to the list. There was a
                  request for a die-die specification
          Improves RFC 7662 , used for high assurance use cases such as payments and
          electric signing, 7662 does not take into account signing the responses
          Not many changes since Bangkok, small stable draft
          Request to change this into a more generic specification to the list,
          so 1 response to keep it limited one response to open this up. So tin
          room hum showed hum in favor of keeping existing scope.
          * UMA drafts - Eve? (45 min)
          UMA enables cross party sharing, concept of a resource owner and resource
          party and these can talk to the same authorization server
          UMA Grant Overview
                  Party to party, synchronous
          UMA Federated Authorization
                  1 to n Multiple RS in different domains can use an AS in another
          Different tokens
                  Request Party token (RPT), Protection API Access token (PAT)
                  and Persisted Claims Token (PCT)
          * JWT Usage in OAuth2 Access Tokens - Vittorio (20 min)
          interoperable profile for access tokens.  So defining JWT profile for
          an access token would
                  improve crso vendor interop
                  Proposed JWT Access Token Layout
                  Not to be used as ID token
                  Validating JWT Access tokens process
          * OAuth Workshop Update - Hannes (10 min)
          Link to Workshop Agenda - https://sec.uni-stuttgart.de/events/osw2019
          Record attendance, invited guest speaker, hands on workshop, full agenda
          here https://sec.uni-stuttgart.de/events/osw2019/agenda
          * Browser-based App - Aaron (30 min)
          Written in JavaScript, no backend, require auth code flow with PKCE,
          no implicit flow. Browser based should not get refresh tokens
          Questions on the exact constraints on the proposal, should this be
          only browsers based? What about backend ? What is the scope of the
          specification? Torsten suggests that all the oauth processing can be
          pushed to backend, so one proposal is to make this all about Oauth in
          browser no about backend.
          So this scope would deal with receiving oauth requests, no matter if the
          processing takes place in the browser or in backend, cover both cases
          Must do exact matching on URLs
          Use PKCE instead of CSRF State, need to analyze current state of deployed
          apps, its not a simple change that can just be made. So there may need
          to be some words put in the BCP about state,
          Is S256 adequate for PKCE? Seems ok
          Should password grant be discouraged in BCP, its not been determined if
          this would be a MUST or a SHOULD. This document would prohibit use of
          password grant type
          * PoP Key Distribution - Hannes (30)
          new version published, seems that ACE and Oauth WG Pop tokens doscs can
          share same CWT usage.
          There is a equivalent draft in ACE to the Oauth resource parameters
          Ready for WGLC?  So there may need some additional work about proving
          a public key without a proof. This specification seems to only be half
          the solution. So must prove control of the public key, how that proof
          is provided seems to be the question, how it crosses boundaries. There
          seems to be some scenarios where I may get a key on behalf of another,
          but you don’t have the requestors private key. Are we enabling a MIM
          here? This may be an ACE issue only?
          * MTLS Update - Torsten (10 min)
          Client to AS , alternative to Token Binding
          Changes, new abstract protocol diagrams, added new metadata for use of
          a SAN. Added metadata for alternative AS endpoint
          Need more info on how refresh tokens are used for confidential clients
          There sees to be some issues with the metadata changes, as they may
          conflict with the AS Metadata specification, so some research needs to
          be done.  Mike says this needs to be clarified in the spec and if this
          is done then no issue.
          * Nested JWT - Rifaat (10 min)
          JWT within JWT, current restriction is that the outer JWT not contain
          claims, so this is a spec to remove that limitation.
          What is the motivating use case ?
          * DPoP Demonstrating Proof-of-Possession
          New draft, Oauth lacks a mechanism for SPA,
          Prevent replay, we have mTLS and Token Binding, but support is lacking
          in browsers for TB
          Which mechanisms is this applicable to, SPA? Browser based?

Generated from PyHt script /wg/oauth/minutes.pyht Latest update: 24 Oct 2012 16:51 GMT -