Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and OAuth 2.1
Pieter Kasselman <pieter.kasselman@microsoft.com> Wed, 13 October 2021 20:25 UTC
Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C2663A0DD1 for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 13:25:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.452
X-Spam-Level:
X-Spam-Status: No, score=-2.452 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NmzGFX9bEiEd for <oauth@ietfa.amsl.com>; Wed, 13 Oct 2021 13:25:20 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2110.outbound.protection.outlook.com [40.107.20.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C77143A0DCE for <oauth@ietf.org>; Wed, 13 Oct 2021 13:25:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aFS9ij8TJL/fvPWlkDh9k+y9MuECtAiXievnm0nWg/kJ60ycv88NPc9UoFeW3hyPHLTwWAyZrDtm0GKSsdL0KIuYdYivVFKq27TFZujJ/+C3gxrOzd3q9oRECF3BRk4zJhbkSaTnQ5zra4eKQqkXl/V7bVl9RmMyJ/67RL1B167Xywv6mJhEOtzhvShmlUCHlJ7O3c5oV96212MF1rGs3pusWgDC/ufEdyeln94Y1KwhbFnq9s+DLYFWTBqQNwi7UIAr/n5xQz5qW0BfwFYUaB8VRP0KpugGgSR5JSwWzJUUQ1Uywr4iWzyoQ+D5neYUuGTN4NrACHVa0nO+ibE/1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kxyy9bJ4mmC83SMPCN7aFkMn83/2GkFy/mCGUXwhnTs=; b=PbZcx3WdLVKUwK1D+CseTHKuydDdhDIZ5HykcSfIXcwgMKgKoX4UWN9OIF59hqf5P101+RYl+NDokGQp+6OYuRxZgV8ZpmUpiypw1TmiyIcLFrnkPIpmE5v7hqIdHmRL1F/1gBZOvRy4mZq1IPxwQ/rNyz0VYgCDEr4q1lwR2l96bYttZazQLAcNXRmMv9YOsBJXbWA/N5KtXB6i/EfyMeGmjLi6g9rkAfQOtdZfVVSoYJZk5Eh3oxq42tW4BiuE9F19KI9/5hduEnTaOk+cvF9X4E8SgfAZeI9PUyBtM5L+qgl3ztL8HezRWIPZWubwYb/QHEuOfpfkyHBF9QdPag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kxyy9bJ4mmC83SMPCN7aFkMn83/2GkFy/mCGUXwhnTs=; b=Ow6Fp+cICka5Af5y8vaEhq4V6uO0fXZsLhrqV15iwfaAVESLolYjygxuFP9dXOroYvYz0x9Ii47kMvNHdGGjef2+cAEaZ2XeptWpZf9Z34Lo7xNQ+L1Im+wY9ZcUGlK6MEVv1DnHmJuEE/SQqW2d0zUfrpnznEe8QRr9vIFRWoY=
Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com (2603:10a6:20b:1b6::10) by AM5PR83MB0324.EURPRD83.prod.outlook.com (2603:10a6:206:25::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4628.5; Wed, 13 Oct 2021 20:25:16 +0000
Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::e00b:f459:6dd3:4d24]) by AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::e00b:f459:6dd3:4d24%3]) with mapi id 15.20.4628.009; Wed, 13 Oct 2021 20:25:16 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: Aaron Parecki <aaron@parecki.com>, Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
CC: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [EXTERNAL] Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1
Thread-Index: AdfAVNrlkmcvsI+rS0W4a9tVQDknwwAAq56AAAB3NYAABZP54A==
Date: Wed, 13 Oct 2021 20:25:16 +0000
Message-ID: <AM7PR83MB0452A256F01A7DE8BE65C98C91B79@AM7PR83MB0452.EURPRD83.prod.outlook.com>
References: <SA2PR00MB100244DAAD267EBD2FF51678F5B79@SA2PR00MB1002.namprd00.prod.outlook.com> <CAJot-L1HNvud7-ehODK7Bouv5-KotMy8EtEgLCyCzOXoSZCVCg@mail.gmail.com> <CAGBSGjpJrM4uUTdVvsEzh5sT0H9ZpEJ0D3yfo-p_1S9w_tdF8g@mail.gmail.com>
In-Reply-To: <CAGBSGjpJrM4uUTdVvsEzh5sT0H9ZpEJ0D3yfo-p_1S9w_tdF8g@mail.gmail.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-10-13T20:25:12Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=371927b3-b3eb-47d6-9ab5-0dfa35511a55; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2aedd7a5-1213-4925-2658-08d98e8791bc
x-ms-traffictypediagnostic: AM5PR83MB0324:
x-microsoft-antispam-prvs: <AM5PR83MB03242CCC67035CC774F8F83191B79@AM5PR83MB0324.EURPRD83.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: QZSYpISLIXOP6LyniLnKZEI8dUWNWSauABhPwP7Jd2Y1aGSCDXplSvP8NTfvavvvSfHrOLa5/Kr3yJyjjzVIU0ux+YHqEOw5HPIUXtEynDVO7kDgJfsMPQot0TZPhIiLcOz4jXpGghfPKuE8SIod44+cD3aC10xft8OUv8b+4ljIGwNzojI6/7U0KTRRP6z6d96inqK+DSCOtB00D2lKnzh0rD4YDqcKxPd03blVMqjeY8u73JfILXYGQW2qGjJJcsf0j8BznLb7EsWqXVaLjJUq0ANf0alo5YzVFPUpqlew9/qOG7BKB8pmJv3sngXcdDP81sCaxLFjlEm0DIkfCnmfC/PRf+yVvyfZUCTOR5TBzgdrDi1skPhNUBsQdT+JdTCRzq3RUrycHUslauUyML/eDEAPWXcb+uyMuSLMBWaUJOOSGkfw6lN9NQ+m8CTIU87r4vrNuxe4hrxmYwKQw2F7xeLPQ0JJTLsmDans1+yiFTEPskMejTKv9sKqLH9bLljSA9Lfgvlk6D9XgEUbqhAGBAiWDE37oZkSe91QhDisUTgX8yW1De6bsHan/qgaPSfP5up4QKwf/LkSUORKu2ox3321vYmU+Y5b1GF2R4HSKEhoU3LBzqmDhQ4Wrf9jx9AJGDxCUQunlsznjk9kTyNqwaCu9tk299+vJ4r+ELCQne2b96f9q3yVlVz9oyYi/s6H8gAFc0gc7qgERfnpcb9/tg2sZc+aP5mWETA437lMLpf0Y4AZNu/+8TKQF8lB0O31jv1BvNk6jh1fn2oleSS5EWbztc490dt4C/JBVPU=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR83MB0452.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(54906003)(55016002)(66946007)(186003)(966005)(86362001)(508600001)(83380400001)(52536014)(6506007)(7696005)(10290500003)(8936002)(71200400001)(8676002)(166002)(66476007)(38100700002)(66446008)(53546011)(66556008)(82950400001)(64756008)(2906002)(82960400001)(44832011)(316002)(5660300002)(76116006)(122000001)(4326008)(33656002)(26005)(9686003)(8990500004)(110136005)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ccBUAzFP2zd5fgMrse9VvKvOYBSlMMqVBnWdmfwievnTJ9Z8p8ZSBQzZFBvE+B6SciK5pFRg8cJYyxljH5mQd+7lt0xE5QtWpBepzjmdIBbPZsvlR8q3JmGweKfpMHQTdWftiArN2WjbyXthG7dV4lrFeqJXpxUGMyycH506q1DRSQ72coI7TExXYlAbuRBWfs5m/IkSaNhMeiiofmDdOsywzzjPe3yC7T9NR+FOD5rbCSARW1P9WQoZixncbuJgkIaeC5dBaUg8Zbyh2VV80dJ2N4n79r+PaIK/RZrBclzcw7oh0aCKN4ajVIKc2tvP/qTn7uQ78Rt/IOApDvwTpWE26OQDtSein8ZGgdaStX+fVS4RJOtSdMRRDilhRHPpDexFYuK3yEl41yW8+FOmRFjDcSZmHV16MB/O4ipWa3QDDVWhiwSSTUM8y+tVB6zONAa6IHOb8lx0iIf+EaClEG0PNYe5GNdZrZejZpOjTOYrof/u4vAL6vAFWADhuZUqjtKzgvcYPHUBr/KOgsnHbeRqJ/yce22em8vAFopXs8bMgingC/7NeA3D0ACQuxx5VCpBPnXoaiEzRf/TsS7aXAW6wMhGsTyKbZ7OIZ/QWUlMgL83xZCTHC53At4knGXDYBafwHDL1OspHWa0QKrvXPFcWJNaPPSV2mF4cI44G9GDh8720lPaPKo8k5FHl6mUGIEwRonFnLYpghS82W5i1cEWKudhfqFn6BmtcEDbx+tjL/3pn1qfmfgrxrkUCwSG2vKNvtAogUTY52vTDiR+FBM5CV7wFn/Px12n8yHReV47+gYGu/nHYC5ASV9YT0hoS+O7PMFpg9SKAdWqnnhuCHhqX63drjXLHfLgZwW0szMJgiRbWGdncO2M2z3Ll/VcGoBRcgD0/7t2PWahFvpMf9nHvPUNhiDyLO6xsqdlB7XDgXhey/KNsgZwSIkDn1Zf6Ooa4RFoBO07LFbFcrlAKjDoMiSwkpB2HV1gviEv/94XDQdH1Z98socjy9OWqq1UFJF05fa6s58x8EFw02EIxbQoHE+j1k5fVrLfl1Ug/MvBsWFipoqXf5LFD43xkG0Me9msdJYuAOqDitT8TTuhHqZkO3LQ5+7rm4zr9UCz+v6VQSTFqX9uaBpTW82mkDOGWVBVeij7ZXKiH016we9NDQxuYGufhU+uoi682nHLciIkF9Zin1Fioaol7r7rrqivDRp4JDeGlw1+LT9Eq9nEHqukd4i8K8UxJf7Ldg6sKgJPmOGNzNOOgaHzrvUBhDUSK1IFIBK/RmcFZ7wkFiaJd93Ci76eF2qV5sq8oW0xVIvH/DE4cOP2eq1jjdhgY4n80naIprpkYlo+Bv+xq1sBmzFgE2Tkt/QvKnQtqUsvmHmdAiAYeaEKyQr0oFsvdMeJHkHrlSFFFtIHxOmCXsJY7dlt1vZKCO6dvmnzwnmmRycGIG53qGmxNIbNSTbuz1eU7E6EMuUd4Gul/UUk7eDDvVeRdFqB01eLuFZU43WFbYLzRWV+N5FubywVtcuMP7a+CaQVhcDFVT9o33dNfX4rfQg9t8pnhBglxoaVdW2WpWLgD+tDqPZzXV4Oerut3CCM6ijFdorEUOf8uRGkNJpDMA==
Content-Type: multipart/alternative; boundary="_000_AM7PR83MB0452A256F01A7DE8BE65C98C91B79AM7PR83MB0452EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR83MB0452.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2aedd7a5-1213-4925-2658-08d98e8791bc
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Oct 2021 20:25:16.4251 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vtLrjfWYnQsJI6woGHrJfMZUL6QafUDmnM0w+JrNtfp+u8lqccAPrSVsO/uDUwVRSybOSb+OshVpqTAf9qt1FDKU7ODsNoue+q5ilT/YN7s=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR83MB0324
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5itlEAuMan383j8-Vmt7wBqo3k8>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code reuse and OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 20:25:29 -0000
Aaron, I was curious what prevents an attacker from presenting an Authorization Code and a PKCE Code Verifier for a second time if the one time use requirement is removed. Is there another countermeasure in PKCE that would prevent it? For example, an attacker may obtain the Authorization Code and the Code Verifier from a log and replay it. Cheers Pieter From: OAuth <oauth-bounces@ietf.org> On Behalf Of Aaron Parecki Sent: Wednesday 13 October 2021 18:40 To: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org> Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>; oauth@ietf.org Subject: [EXTERNAL] Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1 Warren, I didn't see you on the interim call, so you might be missing some context. The issue that was discussed is that using PKCE already provides all the security benefit that is gained by enforcing single-use authorization codes. Therefore, requiring that they are single-use isn't necessary as it doesn't provide any additional benefit. If anyone can think of a possible attack by allowing authorization codes to be reused *even with a valid PKCE code verifier* then that would warrant keeping this requirement. --- Aaron Parecki On Wed, Oct 13, 2021 at 10:27 AM Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org<mailto:40rhosys.ch@dmarc.ietf.org>> wrote: Isn't it better for it to be worded as we want it to be, with the implication being that of course it might be difficult to do that, but that AS devs will think long and hard about sometimes not denying the request? Even with MUST, some AS will still allow reuse of auth codes. Isn't that better than flat out saying: sure, there's a valid reason In other words, how do we think about RFCs? Do they exist to be followed to the letter or not at all? Or do they exist to stipulate this is the way, but acknowledge that not everyone will build a solution that holds them as law. Let's look at SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. I think recommended here is not sufficient nor are there valid reasons. "It's too hard" isn't really a valid reason. Isn't it better in this case for an AS to not be compliant with the RFC, than it is to relax this to SHOULD and have lots of AS thinking reusing auth codes is a viable solution, "because they are a special snowflake where SHOULD should apply". Are we setting the standard or instead attempting to sustain a number of "AS that are in compliance with the RFC"? [https://lh6.googleusercontent.com/DNiDx1QGIrSqMPKDN1oKevxYuyVRXsqhXdfZOsW56Rf2A74mUKbAPtrJSNw4qynkSjoltWkPYdBhaZJg1BO45YOc1xs6r9KJ1fYsNHogY-nh6hjuIm9GCeBRRzrSc8kWcUSNtuA] Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthress.io%2F&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C64289cdc8a4743659b3108d98e70a5d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637697436788333255%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lw%2BH1z1Ut9kr6S%2F4aVsPmcErAcZx0eK2WV78OlEl2dU%3D&reserved=0>. On Wed, Oct 13, 2021 at 7:17 PM Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org<mailto:40microsoft.com@dmarc.ietf.org>> wrote: During today's call, it was asked whether we should drop the OAuth 2.0 language that: The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code." The rationale given was that enforcing one-time use is impractical in distributed authorization server deployments. Thinking about this some more, at most, we should relax this to: The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server SHOULD deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code." In short, it should remain illegal for the client to try to reuse the authorization code. We can relax the MUST to SHOULD in the server requirements in recognition of the difficulty of enforcing the MUST. Code reuse is part of some attack scenarios. We must not sanction it. -- Mike _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C64289cdc8a4743659b3108d98e70a5d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637697436788343208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ySJjihVbfLJJ85RtjNzEIMSPwe7kLZB8RKT8Ky3fYiA%3D&reserved=0> _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C64289cdc8a4743659b3108d98e70a5d1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637697436788343208%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ySJjihVbfLJJ85RtjNzEIMSPwe7kLZB8RKT8Ky3fYiA%3D&reserved=0>
- [OAUTH-WG] Authorization code reuse and OAuth 2.1 Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Aaron Parecki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Neil Madden
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Aaron Parecki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Jeff Craig
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… David Waite
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Sascha Preibisch
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Sascha Preibisch
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Ash Narayanan
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Daniel Fett
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Vittorio Bertocci
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Ash Narayanan
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Vittorio Bertocci
- Re: [OAUTH-WG] Authorization code reuse and OAuth… David Waite
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Neil Madden
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Filip Skokan
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Takahiko Kawasaki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Daniel Fett
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Daniel Fett
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- [OAUTH-WG] SUB and AUD configuration for web iden… Warren Parad
- Re: [OAUTH-WG] SUB and AUD configuration for web … Ash Narayanan