Minutes IETF100: oauth
Web Authorization Protocol
||Minutes IETF100: oauth
Web Authorization Protocol (OAuth)
** Chairs Update – 10 min
NEW: OAuth Security Workshop 2018
** Mutual TLS Profile for OAuth 2.0 – (30 min, Brian Campbell)
Leif: should be possible to constrain the issuer of certs in pki mode
Brian: implementers feedback - not easy to implement due to the data exposed by
the TLS layer Leif: at least add security consideration around potential
security considerations Torsten: we have some text regarding this attack in
section 6.2 - pls. give it a read Justin: can only be used with grant types
utilizing token endpoint, so what about implicit? John: we don’t believe
provisioning of certs into user browsers is desirable, token binding is the
better solution Justin: reasonable argument - please add text to the spec
clearing cutting this off Brian: only open comment right now about metadata for
mtls bound access tokens Hannes: What is the difference between this spec and
token binding (in particular given support for self-signed certificates)?
John/Torsten: self-signed certs are a lightweight replacement for client
authentication Dick: you should consider large cloud providers terminate TLS at
the load balancers, won’t potentially work there Justin: banks today use TLS
and mutual TLS, so from their perspective, this draft adds OAuth for TLS.
Hannes: Please add text about the difference into the document to make it clear
for the reader. WGLC will be issued in december after clarification.
Reviewers: Justin and Leif
** OAuth 2.0 Token Binding (30 min, Brian Campbell)
** OAuth 2.0 Authorization Server Metadata - (5 min, Mike Jones)
Mike to update the draft.
** JSON Web Token Best Current Practices – (15 min, Mike Jones)
Brian to search for old comment regarding content type.
Chairs to ask for more reviewers on SAAG list.
** OAuth 2.0 Device Flow – (15 min, John Bradley)
Nat to compare his review comments with the proposed resolution. Ready for
** OAuth 2.0 Device Posture Signals – (15 min, John Bradley)
Hannes: seem to make a lot of assumptions, e.g. regarding attestation?
John: direct TLS connection to token endpoint, individual attestations already
signed wendy Privacy considerations? John: need to discuss dave: What prevents
one app from stealing an attestation from another app? John: depends on the
API, e.g. on Android it is Safety Net, draft depends on token binding for
replay prevention No one seemed to have read the document Tony: relationship to
token binding attestation? John: other level (TLS instead of App) Lucy:
reliability of data? How is the AS supposed to enforce a policy? John: low
level functions create attestation, the app just bundles this pieces and passes
them onto the AS Hannes: need to understand the architecture Torsten: need to
document architecture and trust model John: there is some implementation
experience, we need to get the vendor talk about it dave: what is the
signature? What key material?
5 persons are interested in this topic but nobody read the draft. Requires
expertise from the hardware community.
** OAuth Security Topics – (30 min, Torsten Lodderstedt)
Concerns over the document lifecycle. Solutions, such as the audience, may need
to be put into separate document. bcp can be updated if newer threats or
mitigations come in
A consensus call on the recommendations in document needs to be done on the list
Reviewers: Nat, Dick, Brian
** Mutual OAuth – (20 min, Dick Hardt)
Questions and concern over consent. Presentation did not capture the consent
parts. Potential overlap with other work, such as token exchange.
Poll: 14 persons were in favor of working on this topic / 0 against
** Distributed OAuth – (20 min, Dick Hardt)
Overlap with prior work has been noted (e.g. UMA 2.0)
There is general WG interest in the topic.
** Raw-Public-Key and Pre-Shared-Key as OAuth client credentials – (10 min,
Justin: should we merge this with the mutual tls draft , resounding no from
most of room
** Public Identity Infrastructure for the Internet – (10 min, Vittorio Bertola)
Justin - Wanted to know why this would stop fragmentation or will help to
unify? There have been other adoption issues like web finger. Nat - already
looked at a dns based solution and was not practical Leif- overlap in openid
federation: how does the trust mechanism scale? DNS is a poor infrastructure to