Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
George Fletcher <gffletch@aol.com> Thu, 04 April 2019 14:14 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE702120678 for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 07:14:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K_jPP3j5Ld4i for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 07:14:04 -0700 (PDT)
Received: from sonic306-2.consmr.mail.bf2.yahoo.com (sonic306-2.consmr.mail.bf2.yahoo.com [74.6.132.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D58B1200EC for <oauth@ietf.org>; Thu, 4 Apr 2019 07:14:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1554387243; bh=3edl0LrvusMNk51tYWE9BF8Ad03bQNRHdZk9S/GEa5I=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=Ne551wHwOrg0O25862BH6uO+29+5RM2rW4DWUy6aEw+TO7lLtIbhbejOfp6NvmueMtCu8A8OtdOigab4TtxMJVMowBaB2GHuNkZF5nU3YOixCn4cwKa4HKB8KNlPsF8fhn1xxJFwaJv3PDgMw4LwCIt8fHos4JUtthToLtv8iiNB2WviNbiEtuUHZZS60v8STfhAPfSnT1IP3SnOChFraylxdwvS7M5GKRIoexAENMVcEPK61VW4nsCqFbX0ilWnHSLaVlAqvu2fa1FXlOR9WXLNH6ZOD3X7zB5uSrGiooamtMNnSvFxuKHln7FEGh05vrT0Sm3Uj0y7dQvkG4ez2Q==
X-YMail-OSG: MmJJkSQVM1ml1tpGCgwYTdAMucDqS1wUet7M8riJLSzlTPm16rbyH3ShEyrNoZs D8gGlvGupHTVrxsYWzs48wFyowkv2NZ_5s8KtG5qal9.XteU_8ilg78MQZMFxBuBON5O4isOGc0A 1foWHJq8siZJZ4l4obmu21WhHNRJYrA9e75KONweeWGE9K1NYeqV1y0GwgXf3JUUnn4ct7vPhgdw eA9eevidhzB2IowHrtqCo6lAOR2qrcFpNGVaDvCPAsjfsJfvUSs7aOeCIA_r4seXlcXLbV9JFS.r McTrQafPG3V64DsjxgGwbnHpedQGb0RDPDcerwBdJUyJCM5QjvACDDzzKQ6n6mx4Az8O3YsAq9lC 5WHmQ4wwFW09p66NUS7kbh7SLrsEwj5pyF4ZJdOWSaqo7sRe_Qa8X2JhrLiYYx0i5VTCTIotVVo_ w0wiFoB6RZxcFiXJweTZkDh1ZiSiKQ4jtlrVlxcnQImYyr7kD.uOjQ3u.XVUo_pA4c4D.CciIrkL yGCIvlOS1Bmj0nJmlpvsqcVgy1mn7PheX_W8dSWm0RlGv_VpD1VIj7vlKyRFI_V5iF3dppTL8._Y s2Ch_rHSJ.qJxivdkH_OT1Eu6UcojT4Bhni7mrD56AczaIpDVHunqP.m9KuBn_K35zan62ElFp1S WjAin_NJIhE_wbMwGrpv7dto.3iApsuoG7uHq67sJeMd4CleFEhl7oenXwcdISW9BBlQ_iADQ.8c eP9ilB6sjNWG1LComOCWCsjFAHECwhmR.TpE9khCeYnu4anFfIcWHcA094mSE1UQDkq4Ye.41IcD AcLgux9inzr7q758p6XWp8Su9hTqDS2NVJR8SnDFQSyidMXiA1rbYOsu.jIT5uFF5bYzfMEhh8AS Ff1Is0anP5l0jJysE_b.Zw4zHYlMjCCEqak7fURSZHJt_QwJsWk1xFuFzFcTUYt0nEdT.K2fKbHo OLtq8YtHqb88SFE05yKlDbhesczxwbTVzBRdRCOFTP4LT3Tf1VsBkPxC1SpJ3pzFEVRcRHerj4BJ ND2W1FDKPddwCHTVPt0Dy1QATwLffLPNnOj1xFViRT2fZXRLgIgL6oZoIWVktYS0Ox.LIF8C3QxF dvhnLMA9oZGphfAwltM5quhrExZ48gMKkb6X1
Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.bf2.yahoo.com with HTTP; Thu, 4 Apr 2019 14:14:03 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp418.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 1b9112a718319920336df2b50afbc6ad; Thu, 04 Apr 2019 14:14:01 +0000 (UTC)
To: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>, Brian Campbell <bcampbell@pingidentity.com>
Cc: David Waite <david@alkaline-solutions.com>, IETF oauth WG <oauth@ietf.org>
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <2a523e40-470b-4727-4e38-7a60552a285a@aol.com> <CB442B2B-4084-4C0D-8B4C-59C10423B387@alkaline-solutions.com> <CA+k3eCRS_Y1aXwX3U-q8uXRqd4hhot-s6nJ5d9qmbA9m0m9uUw@mail.gmail.com> <CAO_FVe73VZ2WsMVMhgCxCUPg3Wp1cbwRRkw=U_62KFrtAr34qw@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <d0f53cb5-bd4e-3716-d467-b4f405cf31ee@aol.com>
Date: Thu, 04 Apr 2019 10:14:00 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CAO_FVe73VZ2WsMVMhgCxCUPg3Wp1cbwRRkw=U_62KFrtAr34qw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------84029669242BA5F0633FA575"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2H5UhnfrFvenKV1Fb2KwB2BXnNo>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 14:14:09 -0000
Comments inline... On 4/3/19 3:38 PM, Vittorio Bertocci wrote: > Thanks guys for the comment, sorry for the delay in addressing them. > I am not married to the claim types used in here, so if you think that > reusing the ones in the id_token can cause confusion we should expand > on the specific ways in which you think might go south. I'm fine with re-using claims... we just need to make sure if we reuse a claim it keeps the same semantic. > However I think it's important that the information on say, whether > the current token was obtained using MFA or a specific authentication > factor is something that API developers can legitimately latch to when > doing authorization decisions. From the perspective of a developer > modeling a solution, whether functionality is delivered as a route in > a postback based web app (hence receiving an id_token or derived) or > as an API consumed by a native app, the business requirement gating > access to that functionality doesn't change. If the admin managing > that resource establishes that access should be performed only via > MFA, the developer should be equipped to enforce that regardless of > the stack used to expose functionality (web app, API). > Although it is true that triggering the desired behavior might be > achieved by the resource setting and contract with the AS, along the > lines of what David said, it's actually not uncommon for those > policies to be assigned on the resource AFTER the current session was > established and/or the corresponding AT was obtained and cached. > Furthermore, the requirement might be more granular than an AS policy > can tolerate (an API might requires MFA only for certain routes, hence > hard to express in a static policy) and triggered in form of > challenges. So the situation in which you have an AT with the right > issuer, audience, etc but was obtained with a policy now > obsolete/unacceptable to the RP is strong. Requesting to support > revocation just for this seems overkill, especially given that the > scenario in which the same logical app is exposed as both web app and > native client+API, the code consuming those claims is already in > place. It just makes intuitive sense for developers. > In summary, one can take steps to push as much of the MFA requirements > to the AS settings for a particular request, but ultimately the desire > of the API developer to enforce that it actually happened is a > requirement I encountered often in practice. Anything providing extra > context to refine decisions about it (like auth_time, which might > inform decisions about whether to accept an MFA check occurred N > minutes ago or refuse access). As an aside, I worry about trying to put all information needed to make a dynamic policy decision into an access token. For cases where the policy can change over time including the lifetime of the access_token then I prefer the User Managed Access (UMA) approach as it inherently allows for dynamic policy change. > > I thought that reusing the existing names for the same concepts just > made sense (dev existing skills, existing codebases, etc etc) and > especially in the case in which the values are exactly the same, and > the idea seemed to receive good support during OSW. But I am > completely open to change it of course, especially for cases like the > one identified by George. > WDYT? > > On Wed, Apr 3, 2019 at 10:24 AM Brian Campbell > <bcampbell=40pingidentity.com@dmarc.ietf.org > <mailto:40pingidentity.com@dmarc.ietf.org>> wrote: > > +1 to David's question here. I'd like to see justifying use cases > (beyond just the fact that some people are already doing it) for > auth_time, acr, and amr to be available in OAuth JWT access > tokens. Those claims are defined for, and in the context of, an ID > Token and I fear that codifying their use in an access token will > lead to misuse and/or confusion. > > On Mon, Apr 1, 2019 at 1:03 PM David Waite > <david@alkaline-solutions.com > <mailto:david@alkaline-solutions.com>> wrote: > > Do we know if there is a justifying use case for auth_time, > acr, and amr to be available in OAuth JWT access tokens? These > are meant to be messages about the client, either directly (in > the case of client credentials) or about its delegated > authorization of the user. > > Embedding attributes about the user (such as group membership > and roles) can be used for the resource to make finer-grained > decisions than scopes, but normally I would expect say acr > limitations enforced by a resource to instead be controlled by > the AS requiring a higher quality authentication to release > certain scopes. > > Thats of course not to say extensions to OAuth such as OIDC > can’t provide these values, just that they might better be > defined by those extensions. > > -DW > >> On Apr 1, 2019, at 9:12 AM, George Fletcher >> <gffletch=40aol.com@dmarc.ietf.org >> <mailto:gffletch=40aol.com@dmarc.ietf.org>> wrote: >> >> Thanks for writing this up. One comment on auth_time... >> >> auth_time OPTIONAL - as defined in section 2 of [OpenID.Core <https://tools.ietf.org/html/draft-bertocci-oauth-access-token-jwt-00#ref-OpenID.Core>]. >> Important: as this claim represents the time at which the end user >> authenticated, its value will remain the same for all the JWT >> access tokens issued within that session. For example: all the >> JWT access tokens obtained with a given refresh token will all >> have the same value of auth_time, corresponding to the instant in >> which the user first authenticated to obtain the refresh token. >> >> During a current session a user can be challenged for >> additional credentials or required to re-authenticate due to >> a number of different reasons. For example, OIDC prompt=login >> or max_age=NNN. In this context, I'd assume that the >> auth_time value should be updated to the latest time at which >> the user authenticated. >> >> If we need a timestamp for when the "session" started, then >> there could be a session_start_time claim. >> >> Thanks, >> George >> >> On 3/24/19 7:29 PM, Vittorio Bertocci wrote: >>> Dear all, >>> I just submitted a draft describing a JWT profile for OAuth >>> 2.0 access tokens. You can find it in >>> https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/. >>> I have a slot to discuss this tomorrow at IETF 104 (I'll be >>> presenting remotely). I look forward for your comments! >>> >>> Here's just a bit of backstory, in case you are interested >>> in how this doc came to be. The trajectory it followed is >>> somewhat unusual. >>> >>> * Despite OAuth2 not requiring any specific format for >>> ATs, through the years I have come across multiple >>> proprietary solution using JWT for their access token. >>> The intent and scenarios addressed by those solutions >>> are mostly the same across vendors, but the syntax and >>> interpretations in the implementations are different >>> enough to prevent developers from reusing code and >>> skills when moving from product to product. >>> * I asked several individuals from key products and >>> services to share with me concrete examples of their JWT >>> access tokens (THANK YOU Dominick Baier >>> (IdentityServer), Brian Campbell (PingIdentity), Daniel >>> Dobalian (Microsoft), Karl Guinness (Okta) for the >>> tokens and explanations!). >>> I studied and compared all those instances, identifying >>> commonalities and differences. >>> * I put together a presentation summarizing my findings >>> and suggesting a rough interoperable profile (slides: >>> https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx >>> <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx> >>> ) - got early feedback from Filip Skokan on it. Thx Filip! >>> * The presentation was followed up by 1.5 hours of >>> unconference discussion, which was incredibly valuable >>> to get tight-loop feedback and incorporate new ideas. >>> John Bradley, Brian Campbell Vladimir Dzhuvinov, Torsten >>> Lodderstedt, Nat Sakimura, Hannes Tschofenig were all >>> there and contributed generously to the discussion. >>> Thank you!!! >>> Note: if you were at OSW2019, participated in the >>> discussion and didn't get credited in the draft, my >>> apologies: please send me a note and I'll make things >>> right at the next update. >>> * On my flight back I did my best to incorporate all the >>> ideas and feedback in a draft, which will be discussed >>> at IETF104 tomorrow. Rifaat, Hannes and above all Brian >>> were all super helpful in negotiating the mysterious >>> syntax of the RFC format and submission process. >>> >>> I was blown away by the availability, involvement and >>> willingness to invest time to get things right that everyone >>> demonstrated in the process. This is an amazing community. >>> V. >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > /CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). > Any review, use, distribution or disclosure by others is strictly > prohibited... If you have received this communication in error, > please notify the sender immediately by e-mail and delete the > message and any file attachments from your computer. Thank > you./_______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Nov Matake
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Pedro Igor Silva
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… CARLIER Bertrand
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… donald.coffin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Nov Matake
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dave Tonge
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Rob Otto
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Steinar Noem
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dave Tonge
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Binningsbø
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Benjamin Kaduk
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… David Waite
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Mike Jones
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Mike Jones
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Binningsbø
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Karl McGuinness
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Neil Madden
- [OAUTH-WG] OAuth security topics Neil Madden
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Neil Madden
- Re: [OAUTH-WG] OAuth security topics Hannes Tschofenig
- [OAUTH-WG] Off Topic: oauth-bounces Neil Madden
- Re: [OAUTH-WG] OAuth security topics Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth security topics Neil Madden
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] Off Topic: oauth-bounces Benjamin Kaduk
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Neil Madden
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth security topics Torsten Lodderstedt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth security topics Neil Madden