Minutes IETF102: oauth: Thu 09:30
minutes-102-oauth-201807190930-00

Meeting Minutes Web Authorization Protocol (oauth) WG
Date and time 2018-07-19 13:30
Title Minutes IETF102: oauth: Thu 09:30
State Active
Other versions plain text
Last updated 2018-08-09

minutes-102-oauth-201807190930-00
# OAuth - Thursday - IETF 102

Tony Nadalin taking notes

# POP Tokens

Oauth 2.0 Proof-of-possession Tokens – Hannes

Refresher on PoP Tokens
        Interactions between Client and the AS (Asymmetric Keys)

Status
        ACE-Oauth POP-Functionality
    CoAP and HTTPO are using this
    WebRTC us also using PoP Tokens
    DTLS usage

Open Issues
        Where should the HTTP-based parameter Definitions go
    “alg” vs “profile” Parameter
     How should the transport parameter go

ACE-Oauth defined Parameters
        Audience, Confirmation and Profile, these are also defined for token
        introspection

John B. Don’t use audience as a parameter, also making these parameters is
hard, experience form Token Binding so piggy back on Token Binding

Ongoing discussion on using “aud” in a request, so different names are needed,
so just use a different name don’t overload the “aud” existing claim, check for
conflicts

Mike wants to adopt Resource Indicator draft

What is needed?
        Protocol
        Token Type
    Security Protocol

Lots of conflicts between Oauth and ACE OAuth

# Distributed Oauth – Dick Hardt

Presented in Singapore, Nat and Brian have joined as editors

AS Discovery problem – static relationship between AS and resource but this
needs to change, so how do you find the right AS

Access Token reuse, - token may not have a the right scope for the different AS

UTM Security Model, uses cases for aviation

HTTP 401 responsesb, client discovers AS, discovers resource URI also
        Client confirms resource URI

Client then know where the AS is

PoP – AS reuses the client credentials at different
        Many different options here to discuss

Next steps
        Add resource URI to code flow
    Sender constrained access tokens
    Call to adopt as WG draft, hum indicated to adopt, will be taken to list
    Should we adopt the Resource Indicator as WG draft, hum indicates to adopt

Best Security Practices Document

        Feedback from security researchers, read the document
    Recommendations in document
                Exact redirect URI matching
        Onetime use tokens

    Status
                Latest version on -06

        Open issues
                        Crypro agility
            Audiance restrictions