Romaon Danyliw - AD
Rifaat Shekh-Yusef – Chair
Dick Hardt – Notetaker
Aaron Parecki
Anthony Nadalin
Bhupinder Singh
Brock Allen
Justin Richer
Mike Campbell
Peter Yee
Time Cappalli
Vittorio Bertocci
Francis Pouatcha
Bjorn Hjelm
Mike Jones
Bob Natale
Sergey Puzin
Filip Skokan
JWT -> IESG
OAuth 2.1 is WG doc
JWT Profile for Access Tokens
JWT Secure AuthZ – JAR
Roman: I am aware of the JWT Introspection and will take a look. JAR is on the coming telechat agenda.
Mike: Check 6749 errata to ensure it is included
Roman: Check any errata on any of the reference documents
Vittorio: Refresh Token MUST for SPA and SHOULD for mobile apps.
Justin: volunteers to review OAuth 2.1
Like to see notion of sender constraining access tokens to have more prominence.
A lot of leaning on OpenID Connect, and not step into OpenID Connect territory.
Vittorio: implicit is used and is safe in OpenIC Connect form post flows, and depreciating it in OAuth 2.1 is problematic. A carve out for implicit use in OpenID Connect form post flow.
Aaron: implicit flow is not described in OAuth 2.1, rather than being deprecated.
Justin: if implicit and password are not mentioned, then people may think that protocol is extensible, and the flows could be used. Some language describing implicit grant.
Mike: support Vittorio's suggestion. State that implicit with form post is not dangerous.
Aaron: describe what is safe -- implicit from authz endpoint is ok, but from token endpoint is not.
Dick: address the implicit etc. in security considerations.
Mike: the implicit flow also applies to returning Access Token in addition to ID Token
Aaron: the AS does not know the Access Token was delivered to the Client.
Mike: we want to make sure people can keep using that are safe.
Justin: Can OAuth 2.0 and OAuth 2.1 talk to each other? Do we keep in plain transformation for code challenge?
Aaron: Are there any attacks in the plain transformation? Has the security BCP ruled out using plain transformation?
Justin: more description on what compatibility means?
Dick: what is not compatible?
Justin: OAuth 2.0 is different from OAuth 2.1.
Aaron: call out more about what is different -- OAuth 2.1 is OAuth 2.0 with best practices.
Justin: will make suggested changes when reviewing the document.
#Document Review Volunteers:
* Justin Richer
* Mike Jones
* Vittorio Bertocci
Tony: difference between obsolete and depreciate.
Dick: I took the same langauge as was in 6749
Aaron: took it to mean that people should look at OAuth 2.1
Roman: obsolete means OAuth 2.1 is what the IETF is recommended. For example, TLS 1.2 is still used, even though TLS 1.3 is what is recommended.
Filip: what about other referenced documents? Are they obsoleted?
Roman: we will need to discuss in the WG and the metadata in the OAuth 2.1 document what is being obsoleted.
Rifaat: How does obsolete relate to deprecated?
Roman: there is no concept of deprecated. There is the concept of a historic document, but that is stuff that is not being used in the world.
Rifaat: many people may not be clear on what obsolete means.
Roman: this is IETF definitions and we need to provide clarity in the document so readers understand the intent.
https://ietf.webex.com/recordingservice/sites/ietf/recording/play/e79836a6ac414d39bb75bd391541556f