Minutes IETF102: oauth: Thu 09:30
minutes-102-oauth-201807190930-00
| Meeting Minutes | Web Authorization Protocol (oauth) WG | |
|---|---|---|
| Title | Minutes IETF102: oauth: Thu 09:30 | |
| State | Active | |
| Other versions | plain text | |
| Last updated | 2018-08-09 |
minutes-102-oauth-201807190930-00
# OAuth - Thursday - IETF 102
Tony Nadalin taking notes
# POP Tokens
Oauth 2.0 Proof-of-possession Tokens – Hannes
Refresher on PoP Tokens
Interactions between Client and the AS (Asymmetric Keys)
Status
ACE-Oauth POP-Functionality
CoAP and HTTPO are using this
WebRTC us also using PoP Tokens
DTLS usage
Open Issues
Where should the HTTP-based parameter Definitions go
“alg” vs “profile” Parameter
How should the transport parameter go
ACE-Oauth defined Parameters
Audience, Confirmation and Profile, these are also defined for token
introspection
John B. Don’t use audience as a parameter, also making these parameters is
hard, experience form Token Binding so piggy back on Token Binding
Ongoing discussion on using “aud” in a request, so different names are needed,
so just use a different name don’t overload the “aud” existing claim, check for
conflicts
Mike wants to adopt Resource Indicator draft
What is needed?
Protocol
Token Type
Security Protocol
Lots of conflicts between Oauth and ACE OAuth
# Distributed Oauth – Dick Hardt
Presented in Singapore, Nat and Brian have joined as editors
AS Discovery problem – static relationship between AS and resource but this
needs to change, so how do you find the right AS
Access Token reuse, - token may not have a the right scope for the different AS
UTM Security Model, uses cases for aviation
HTTP 401 responsesb, client discovers AS, discovers resource URI also
Client confirms resource URI
Client then know where the AS is
PoP – AS reuses the client credentials at different
Many different options here to discuss
Next steps
Add resource URI to code flow
Sender constrained access tokens
Call to adopt as WG draft, hum indicated to adopt, will be taken to list
Should we adopt the Resource Indicator as WG draft, hum indicates to adopt
Best Security Practices Document
Feedback from security researchers, read the document
Recommendations in document
Exact redirect URI matching
Onetime use tokens
Status
Latest version on -06
Open issues
Crypro agility
Audiance restrictions