Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
Vittorio Bertocci <vittorio.bertocci@auth0.com> Thu, 06 December 2018 01:32 UTC
Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FCBF130EFF for <oauth@ietfa.amsl.com>; Wed, 5 Dec 2018 17:32:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u70rq1Furspq for <oauth@ietfa.amsl.com>; Wed, 5 Dec 2018 17:32:02 -0800 (PST)
Received: from mail-lf1-x144.google.com (mail-lf1-x144.google.com [IPv6:2a00:1450:4864:20::144]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27818130F0A for <oauth@ietf.org>; Wed, 5 Dec 2018 17:32:00 -0800 (PST)
Received: by mail-lf1-x144.google.com with SMTP id i26so16230221lfc.0 for <oauth@ietf.org>; Wed, 05 Dec 2018 17:32:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=FGACXNItXpDVAcY542485ItAbjU0XfcKKIwAWvrHll8=; b=aGN8uFesn2RnFqnY2eOvF3NUkhhoOjtGtagMIvH6/8dV3eQOyObQgIgsMGxKMMR8JP w8cskrKwz53KQW/ubO4EodNe6GkCOdGn6qZnP0MnoZ1sCEyH6uc2MQpjm5MgQfi2MvVo e14YztE7ATeQ0Xgg0DntPIyQn6kLk1o8QZxV54FLKy2LXR6xwHcoxo7Figp3cbfYAdY3 IseqRLwzqITomb+rBuGahJHBUexa7yGoF/1gA5R0SGwxbZ1NrwncAIH0+HuHDS8Ov3Mq ZWkcWReTClebYgn8sCfKKihgM/rBoZfRU42jrlwfPUTOkTjZVe6xDiJjjIfGCIVb43p1 nEZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=FGACXNItXpDVAcY542485ItAbjU0XfcKKIwAWvrHll8=; b=IWnFvC/Aky8Sv7k5fiCeZRHU4ju/aDdA1fUmNaDprMomFXNwgOBQIX209/r4ZD6dQ9 eXjbuIN+N26vN1d7bAYe+4gT8xyzuEoFYi6NpqQem6k1bRj4QauxMzt7aCvRlHMBpeNp qg3/tf1MDYJkwFreZL8nhd7qXwES6urZQyuLszHX9FZiM5b+MPomCzHORmfFNgFOwt3R kpg/79JwZWNN1vXiPFs9Biw7TBlwJ/e5Nv7eSv6JwBt62Bv2m12EexCkiNJKS/8R9jeb utQcmtknyI2iDVO8xchsYb9oxRe8A0vbuBowVd3EcA4+3AYTIJ9zhumriT6nA43NTo2m 4Lcw==
X-Gm-Message-State: AA+aEWb4zfjs7aXu5yB8fDq6vw5wwlhQB18KNgeZmAUHKp9kq+OckZ24 uPI0kmbkmjXl2vPSo53D1vVrwHZYFXvujucqzvrB1g==
X-Google-Smtp-Source: AFSGD/U43RYnIG7WRzx7Yt2Ya9f7KqHgXP1vm3YUSkOvt/gKLCi+ZKas0scleBmzBSJx6zNUQQchKVbXGyW0S9cyDp0=
X-Received: by 2002:a19:ae03:: with SMTP id f3mr16358060lfc.86.1544059918178; Wed, 05 Dec 2018 17:31:58 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net> <CAO_FVe7j_79sPrRSFXvQJax3vDjT_0=ZaWHW9aan9rJnLUftkA@mail.gmail.com> <CAO7Ng+vsQ2i4=V0nq+ymO6aNCvurb02+Zt7HHwp4=FnWCO4pUQ@mail.gmail.com> <CAANoGhLx42Noqw4WN-THXbGYvS3t1Z2_EmPs+z641-cNovFNvw@mail.gmail.com> <CAANoGh+1wRzz5x7jJrMy-KzCpeK0KN3fK2Qo62KEhz+9SE83=g@mail.gmail.com> <CA+k3eCRjET6gJjX+G7pq-kwFUDgppTK-mrXCAgMtYtW+gVrCbw@mail.gmail.com> <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com> <458858450.1398445.1543913404101@mail.yahoo.com> <9DF33F99-E78A-4197-BCEA-AC715761FE87@lodderstedt.net> <942315098.1664424.1543946581453@mail.yahoo.com> <FAFC4820-982B-49B9-9CC5-AFD5CFC4CA3B@lodderstedt.net> <1316266210.2176632.1544020051230@mail.yahoo.com> <468E0532-1B5D-4116-B930-A9B8AB7CDA5A@lodderstedt.net>
In-Reply-To: <468E0532-1B5D-4116-B930-A9B8AB7CDA5A@lodderstedt.net>
Reply-To: Vittorio@auth0.com
From: Vittorio Bertocci <vittorio.bertocci@auth0.com>
Date: Wed, 05 Dec 2018 17:31:46 -0800
Message-ID: <CAO_FVe4HrnnQb5-shvgeSAGa+XVKhHtXPsDT_TPezu4Y-CaD=A@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Tomek Stojecki <tstojecki@yahoo.com>, Daniel Fett <fett@danielfett.de>, Brian Campbell <bcampbell@pingidentity.com>, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ef718b057c5076be"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1e3KKy3-m9CuY8trr2QDkGL7xIk>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 01:32:08 -0000
Hey Torsten/Tomek, Can I ask a clarification on the below? Torsten, you mentioned that an AS doesn't need to issue a RT- the browser code can just repeat an authorization request. Did I get it right? But in order to preserve the user experience, that cannot really happen as a full page redirect; right? That wouldn't fly for any kind of background update, or for retrieving new ATs for different resources based on the same session. So would we now use a hidden frame to retrieve a code in the same way in which we used fragments to get new ATs? Thx V. On Wed, Dec 5, 2018 at 7:17 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > Hi Tomek, > > > Am 05.12.2018 um 15:27 schrieb Tomek Stojecki <tstojecki@yahoo.com>: > > > > Hi Torsten, > > > > On Wednesday, December 5, 2018, 1:17:08 PM GMT+1, Torsten Lodderstedt < > torsten@lodderstedt.net> wrote: > > > > > > >> So if I am putting myself in the shoes of somebody who sets out to do > that - switch an existing SPA client (no backend) > > > > > I would like to ask you a question: how many SPAs w/o a backend have > you seen in your projects? > > > > SPA (html+js) utilizing a 3rd party api that requires authorization? > > If you do have a backend, aren't you better of handling the token > request on the backend as pointed out here > > > https://github.com/aaronpk/oauth-browser-based-apps/blob/master/oauth-browser-based-apps.md#javascript-app-with-a-backend-component > > I agree. > > > My point of putting (no backend) in parenthesis was to not derail this > discussion and of course it had the opposite effect. > > > > You know, I you says „don’t look at the green car“ will cause everyone > looking for it :-) It asked just out of curiosity. > > > >> Is that fair or is that too much of a shortcut? I am familiar with > the specs you've referenced and have looked at them again, but dealing with > a SPA, some of the recommendations are not feasible (can't authenticate the > client, > > > > > You could using dynamic registration (see other thread). The > protection would only differ from refresh token rotation if you would use > public key crypto for client authentication. > > > > Good point. How well is dynamic registration supported across AS? > > I leave that to the vendors :-) > > > > > >> confidentiality in storage? - not sure how to read that in the > context of a browser) > > > > > How do you ensure confidentiality of session cookies? > > > > All I am trying to say is that I think context is important here. So > when you point out these best practices, some of them will get people > confused as far as what it means in the browser based app scenario. > > That’s why we have the more general Security BCP and client-specific BCPs, > like for native apps (https://tools.ietf.org/html/rfc8252) and the new > BCP for SPAs Aaron started to work on. > > > Maybe it is just me :) > > thanks for raising the question! We need this kind of input to govern the > development of our specs. > > kind regards, > Torsten. > > > > > > > > > On Tuesday, December 4, 2018, 2:08:55 PM GMT+1, Torsten Lodderstedt < > torsten@lodderstedt.net> wrote: > > > > > > > > > Hi Tomek, > > > > > > > Am 04.12.2018 um 09:50 schrieb Tomek Stojecki <tstojecki= > 40yahoo.com@dmarc.ietf.org>: > > > > > > > > I agree with Vittorio, Dominick et al. > > > > > > > >> I disagree. > > > > > > > >> Existing deployments that have not mitigated against the concerns > with implicit should be ripped up and updated. > > > > > > > > Yes, just like future deployments that will not mitigate against the > concerns of code in the browser should be a concern. > > > > > > I agree. That’s why I pointed point yesterday that the Security BCP > also defines obligations for clients using code. > > > > > > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-2.1 > > > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-2.1.1 > > > > > > > > > > > Can somebody on the other side of the argument (and I hate to make > it sound like there are two sides, because we're on the same side as far as > Implicit's AT in front-channel is a real issue) address Dominic's comment: > > > > > > > >> Also - simply saying “implicit is evil - switch to code” means for > most people also using refresh token - so we are treating access tokens in > the URL with refresh tokens in session storage (over simplified - but you > get the idea). > > > > > > > > Does the group agree|disagree that a recommendation to switch to > code should be made as long as it is followed by an explanation and > guidance on what to do with RTs? The ideas that were floated around > > > > - Token bound RTs (even though it was pointed out that token binding > is still considered an emerging standard). So should the recommendation > than say "switch to code and MUST use token bound RTs"? > > > > - Have AS not release RTs. "Switch to code and DO NOT request RTs"? > Or switch to code and configure AT to not release RTs for this type of > client (not sure what that even looks like in a form of a 3rd party > clients)? > > > > - RTs short lived and bound to a session - "Switch to code as long > as AT can bind and revoke RTs when you log out“ > > > > > > Basically, the AS does not need to issue refresh tokens. If the AS > does not issue refresh tokens, the integration pattern for SPAs does not > change (beside the code exchange). If the client needs a new access token, > it will perform another authorization request. > > > > > > If it does, this adds another layer of security because it allows the > client to frequently obtain new access tokens, which can be short-lived and > scope restricted. > > > > > > The refresh tokens should be replay protected by issuing new refresh > tokens with every refresh and detect replay for refresh tokens belonging to > the same grant. > > > > > > The AS may additionally bind refresh tokens to AS sessions, but as it > was pointed out by Annabelle and others, there are some implications to be > understood and managed in that context. > > > > > > You may find more text about refresh tokens in the Security BCP > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10#section-3.12 > > > > > > kind regards, > > > Torsten. > > > > > > > > > > > > > > Sorry if I have missed an important detail from the list above, > people who have proposed these ideas, feel free to clarify. > > > > > > > > > > > On Monday, December 3, 2018, 10:51:00 PM GMT+1, Dick Hardt < > dick.hardt@gmail.com> wrote: > > > > > > > > I disagree. > > > > > > > > Existing deployments that have not mitigated against the concerns > with implicit should be ripped up and updated. > > > > > > > > For example, at one time, I think it was Instagram that had deployed > implicit because it was easier to do. Once the understood the security > implications, they changed the implementation. > > > > > > > > BCPs are rarely a response to a new threat, their are capturing Best > Current Practices so that they become widely deployed. > > > > > > > > > > > > > > > > > > > > On Mon, Dec 3, 2018 at 10:41 AM Brian Campbell <bcampbell= > 40pingidentity.com@dmarc.ietf.org> wrote: > > > >> FWIW I'm somewhat sympathetic to what Vittorio, Dominick, etc. are > saying here. And that was kind of behind the comment I made, or tired to > make, about this in Bangkok, which was (more or less) that I don't think > the WG should be killing implicit outright but rather that it should begin > to recommend against it. > > > >> > > > >> I'm not exactly sure what that looks like in this document but > maybe toning down some of the scarier language a bit, favoring SHOULDs vs. > MUSTs, and including language that helps a reader understand the > recommendations as being more considerations for new > applications/deployments than as a mandate to rip up existing ones. > > > >> > > > >> > > > >> > > > >> On Mon, Dec 3, 2018 at 8:39 AM John Bradley <ve7jtb@ve7jtb.com> > wrote: > > > >>> > > > >>> We just need to be sensitive to the spin on this. > > > >>> > > > >> > > > >> CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited... If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any file > attachments from your computer. Thank > you._______________________________________________ > > > >> OAuth mailing list > > > >> OAuth@ietf.org > > > >> https://www.ietf.org/mailman/listinfo/oauth > > > >> > > > > _______________________________________________ > > > > OAuth mailing list > > > > OAuth@ietf.org > > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > _______________________________________________ > > > > OAuth mailing list > > > > OAuth@ietf.org > > > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org > > > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] OAuth Security Topics -- Recommend aut… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Mike Jones
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Aaron Parecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Mike Jones
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hans Zandbelt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Antonio Sanso
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Antonio Sanso
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… William Denniss
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Nat Sakimura
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… n-sakimura
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… William Denniss
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Petteri Stenius
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… William Denniss
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dave Tonge
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Willeke
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Aaron Parecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dominick Baier
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Marius Scurtescu
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Justin Richer
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nov Matake
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nov Matake
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brock Allen
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt