IETF 95 OAuth Meeting Agenda
Wednesday, 10:00-12:30
Chairs: Hannes Tschofenig/Derek Atkins

- Status Update (Hannes, 5 min) 

 (a) Informal OAuth Security Workshop (December 2015)
 (b) OAuth Security Workshop (July 2016)
 (c) Re-chartering 
 (d) "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)" as RFC 

*** WG Documents *** 

- OAuth 2.0 Mix-Up Mitigation (Hannes, 45 min)
https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/

  Presentation about the problems/threats we are solving: 
  (a) OAuth Mix-Up (John)
  (b) Cut-and-paste Attack (Nat)
  
  Move cut-and-paste threat to a different document? 

- OAuth Discovery (45min)
  
  What are the use cases the discovery document is solving? 
  
  OAuth 2.0 Authorization Server Discovery Metadata (Mike, 15 min)
https://datatracker.ietf.org/doc/draft-ietf-oauth-discovery/

  OAuth Response Metadata (Nat, 15min)
https://datatracker.ietf.org/doc/draft-sakimura-oauth-meta/
  
  OAuth 2.0 Bound Configuration Lookup (Phil, 15min)
https://tools.ietf.org/html/draft-hunt-oauth-bound-config-00
      
- Token Exchange (Brian, 15 min)
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/

  What has been done and discuss open issues? 
  Implementation status? Interoperability? 
  
- OAuth 2.0 for Native Apps (William, 15 min)
http://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/

  Presentation of availability of code. Moving the document to WGLC as soon as enough people did interop tests.
   
*** Non-WG Documents *** 

- Resource Indicators for OAuth 2.0 (Brian/John, 15 min)
https://datatracker.ietf.org/doc/draft-campbell-oauth-resource-indicators/

*** Not Discussed *** 

- Authentication Method Reference Values document published.
https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/

- Proof-of-Possession
http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/
http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/
https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/

- OAuth 2.0 JWT Authorization Request (JAR)
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/

  Why is the document important? (related to mix-up attack)
  After the WGLC is the document ready? 

- OAuth 2.0 Security: Closing Open Redirectors in OAuth
https://datatracker.ietf.org/doc/draft-ietf-oauth-closing-redirectors/

  Haven't received more feedback. WGLC? 
  
- OAuth 2.0 Device Flow
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/

  Compare the document with current deployment and provide feedback.
  Mike to send feedback from the Microsoft team. 
  
- Conclusion (Hannes, 10 min)