Minutes for OAUTH at IETF-95
minutes-95-oauth-1
| Meeting Minutes | Web Authorization Protocol (oauth) WG | |
|---|---|---|
| Date and time | 2016-04-06 13:00 | |
| Title | Minutes for OAUTH at IETF-95 | |
| State | Active | |
| Other versions | plain text | |
| Last updated | 2016-04-06 |
minutes-95-oauth-1
IETF 95 OAuth Meeting Agenda Wednesday, 10:00-12:30 Chairs: Hannes Tschofenig/Derek Atkins Meeting Minute Taker: Leif Johansson Agenda ====== - Status Update (Hannes, 5 min) (a) Informal OAuth Security Workshop (December 2015) (b) OAuth Security Workshop (July 2016) (c) Re-chartering (d) "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)" as RFC *** WG Documents *** - OAuth 2.0 Mix-Up Mitigation (Hannes, 45 min) https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/ Presentation about the problems/threats we are solving: (a) OAuth Mix-Up (John) (b) Cut-and-paste Attack (Nat) Move cut-and-paste threat to a different document? - OAuth Discovery (45min) What are the use cases the discovery document is solving? OAuth 2.0 Authorization Server Discovery Metadata (Mike, 15 min) https://datatracker.ietf.org/doc/draft-ietf-oauth-discovery/ OAuth Response Metadata (Nat, 15min) https://datatracker.ietf.org/doc/draft-sakimura-oauth-meta/ OAuth 2.0 Bound Configuration Lookup (Phil, 15min) https://tools.ietf.org/html/draft-hunt-oauth-bound-config-00 - Token Exchange (Brian, 15 min) https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ What has been done and discuss open issues? Implementation status? Interoperability? - OAuth 2.0 for Native Apps (William, 15 min) http://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/ Presentation of availability of code. Moving the document to WGLC as soon as enough people did interop tests. *** Non-WG Documents *** - Resource Indicators for OAuth 2.0 (Brian/John, 15 min) https://datatracker.ietf.org/doc/draft-campbell-oauth-resource-indicators/ *** Not Discussed *** - Authentication Method Reference Values document published. https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/ - Proof-of-Possession http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/ http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/ http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/ https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/ - OAuth 2.0 JWT Authorization Request (JAR) https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ Why is the document important? (related to mix-up attack) After the WGLC is the document ready? - OAuth 2.0 Security: Closing Open Redirectors in OAuth https://datatracker.ietf.org/doc/draft-ietf-oauth-closing-redirectors/ Haven't received more feedback. WGLC? - OAuth 2.0 Device Flow https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/ Compare the document with current deployment and provide feedback. Mike to send feedback from the Microsoft team. - Conclusion (Hannes, 10 min) Meeting Notes ============ Hannes reviews developments since Yokohama - security workshop hosted by DT to discuss mix-up security vulnerability - created list for submitting oauth security vulnerability - next security workshop july 2016 announced - review recharter and new milestones OAuth 2.0 Mix-up mitigation - John presenting mix-up attacks and mitigation - Descussion about the attack and implications at the mic - Nat presenting cut and paste attack - WG discussed how to structure documents describing mitigations to these attacks - Barrys advise: create a document that describes threats and updates the normative documents with mitigation. At some point in the future roll it all up into a -bis OAuth Discovery - Mike Jones presenting drft-ietf-oauth-discovery-02 OAuth Meta - Nat presents metadata draft. - Discussion at the mic about overlap with other drafts and other issues Oauth2 Bound configuration - Phil Hunt presents his draft - Discussion at the mic about overlaps and relationships with other drafts including those already presented in the session. - LJ suggests design-team to come up with a consistent model for discovery and metadata - More discussion at the mic about the merits of standard metadata models - Chair formed a design team: John, Mike, Brian (who doesn't think we need a design team), Dick Heart, Phil, Tony, Nat Token Exchange - Brian presenting draft-ietf-oauth-token-exchange-03 - Mike at mic noting there are no implementations yet. Should have that before WGLC. - Jim Fenton: we have implmentation that could be adapted to this. OAuth 2.0 for native apps - William Denniss presents draft BCP. Notes involvement from local Argentinian developers in a django oidc plugin implementing the BCP Resource Indicators for OAuth 2.0 (Brian/John, 15 min) - Brian C presents draft-campbell-oauth-resource-indicators-01 - Torsten L at mic talking about relationship between this and scopes - Discussion at mic follows on this topic - Chair calls for adopting work in WG. 10 hands raised for, 0 against, 1 for not enough data. To be confirmed on mailing list but reflects rough consensus. John Bradley sang a few notes from the Sound of Music to end the meeting.