Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
Vittorio Bertocci <Vittorio@auth0.com> Sun, 09 December 2018 11:10 UTC
Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0D3A127598 for <oauth@ietfa.amsl.com>; Sun, 9 Dec 2018 03:10:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THwSnbjY7IQ4 for <oauth@ietfa.amsl.com>; Sun, 9 Dec 2018 03:10:29 -0800 (PST)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69015124BF6 for <oauth@ietf.org>; Sun, 9 Dec 2018 03:10:29 -0800 (PST)
Received: by mail-lf1-x129.google.com with SMTP id v5so5977883lfe.7 for <oauth@ietf.org>; Sun, 09 Dec 2018 03:10:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ONpdSjLbqp8Efy/9xTFuj5S3KrJ7a7unrDlpqi2zNfg=; b=JXM0IJ9eJFh3Iui7iKHDesnbEuvHQFzUcH+329o6YrAehVz2IkgpEfS+krPmzLqrN0 S3ekAl6mj1wXJ3EBxgJY0WWxHOw8ChRQwvgOsZIZ+WeNYhvmllgtB/yFlbYoeHDBsTZP Rf9Yv96621hcCFDuWwnSmvpPO9K+g3ewYMVKM/HFQPv1t2JxJj2NXcOlKClXiwGH7hwD u1W5LNP7TsId8VXlaqKfTP8EvN3IPa+yUC+RqJCS0dwfaJHtt/C5TG2RyIeg3Lx+OEyK UyGPq4YhJ0rjvWzlOST+nWrfJpOn10Ej58rWXNlUGiZ7oYA2LPTr1LGgYF6g3eZ+XW11 ZNRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ONpdSjLbqp8Efy/9xTFuj5S3KrJ7a7unrDlpqi2zNfg=; b=Th8ZsXQY7Cea/MM03rfFAyIHyPyHLCeg8XQaoz/PUpCJf8sysIenWlojGLFZWkSf+s zEsNbnT9GPypIBs3tKz1SGufKP9hrwbDgIoqqlf+OpwMBEiRqZX+YKfJ0oB/m8X7W0OU urJk5lXAcnqPdy8mUVW71pI7xwWqaA187mqduA5mVWL3DSD8bA5CQS6ElhZ4qJZMINFe O0MHA5qldR2bw1mFTntcLp7AqUCyBR9uB+NWSCAhTW+DzAjDN9QsKoGncmkcEN4j6stC boVJoObaMd0j4HMKYc3cesnH+465Gbza8wcY4qxadyBiNFOY0ZqQ/210a7Q0XtMn4Ilu DZgg==
X-Gm-Message-State: AA+aEWa0thyO6i8rHxtitAjE2KS7iwV5aLUuQqGo8PCYgNmsll0RwDWN ekIBVsZXkEKESaASqErRTRHgVeSqHblU+onst8MqbhrHbj4aQg==
X-Google-Smtp-Source: AFSGD/USKtxK6/mZYn682s+EDpi1QsGBDyns5ojuey5GgEROsXV2sjq+cW9e4vAIj59jTaHXNYTZJAgu8hcZrE6ms/8=
X-Received: by 2002:a19:3b9c:: with SMTP id d28mr4985138lfl.30.1544353827315; Sun, 09 Dec 2018 03:10:27 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CAD9ie-v3onmKc498cg_-a0AD58ZV=aZANtz=UV+Q0f=9N3nSzQ@mail.gmail.com> <OSBPR01MB2869E83F37046C7FCD4463DDF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <9FF3F589-0423-4CBC-B323-481F771D097C@lodderstedt.net> <OSBPR01MB28690F77DFFB2A85BDB83FBAF9D10@OSBPR01MB2869.jpnprd01.prod.outlook.com> <D6C66E6A-687B-4997-B830-980BE25994C2@lodderstedt.net> <CAANoGhL9aD75AV9QQRdeGE1=4ynjTnULNVr0PXXvt20ipsb4Rw@mail.gmail.com> <FE51CE20-7A49-4A13-A180-6A7C481F3965@lodderstedt.net> <CAGBSGjrzeeR5QQ=nA=gTj0q7sRvRVc0DDacbxB+ED87ymHSOuA@mail.gmail.com> <VI1PR0801MB21120AA6CC9437E237F481A2FAAC0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <EA38C666-2325-430A-91B0-C02AAC65FCC8@lodderstedt.net> <CAO_FVe7j_79sPrRSFXvQJax3vDjT_0=ZaWHW9aan9rJnLUftkA@mail.gmail.com> <CAO7Ng+vsQ2i4=V0nq+ymO6aNCvurb02+Zt7HHwp4=FnWCO4pUQ@mail.gmail.com> <CAANoGhLx42Noqw4WN-THXbGYvS3t1Z2_EmPs+z641-cNovFNvw@mail.gmail.com> <CAANoGh+1wRzz5x7jJrMy-KzCpeK0KN3fK2Qo62KEhz+9SE83=g@mail.gmail.com> <CA+k3eCRjET6gJjX+G7pq-kwFUDgppTK-mrXCAgMtYtW+gVrCbw@mail.gmail.com> <CAD9ie-t=wM6D_zwz0kuPkR19xGfFwfYP=0vjX8uGd4oKsukAOg@mail.gmail.com> <458858450.1398445.1543913404101@mail.yahoo.com> <9DF33F99-E78A-4197-BCEA-AC715761FE87@lodderstedt.net> <942315098.1664424.1543946581453@mail.yahoo.com> <FAFC4820-982B-49B9-9CC5-AFD5CFC4CA3B@lodderstedt.net> <1316266210.2176632.1544020051230@mail.yahoo.com> <468E0532-1B5D-4116-B930-A9B8AB7CDA5A@lodderstedt.net> <CAO_FVe4HrnnQb5-shvgeSAGa+XVKhHtXPsDT_TPezu4Y-CaD=A@mail.gmail.com> <693F457E-3B0F-4612-AE3B-D18462055932@lodderstedt.net> <CAO_FVe7_CsqkTCRSPK5iT5dH5w_NmDuZ-g-2UJgHefUP2i3beQ@mail.gmail.com> <194886B0-D8C8-4489-B66B-7993C7FA0F63@lodderstedt.net> <CAO_FVe7QhqZEcqeSurPU5QxTN3Z1Lp9zY6XpVQxk1VdCGLMUhA@mail.gmail.com> <1333FFC2-A2F0-479D-8E7C-9ACFEC8E5724@lodderstedt.net> <CAO_FVe7Kf9gXxi6phY_Mf-aSFV1uQEQu=OAUpST+tcaQc=9zDA@mail.gmail.com> <CADB4F42-9B05-4B2C-80F0-AA0F972C684D@alkaline-solutions.com>
In-Reply-To: <CADB4F42-9B05-4B2C-80F0-AA0F972C684D@alkaline-solutions.com>
From: Vittorio Bertocci <Vittorio@auth0.com>
Date: Sun, 09 Dec 2018 03:10:15 -0800
Message-ID: <CAO_FVe7s+QUJzq2LjGbJYdqo7Gz6F5KM4S1-QBAc+Coj2dmYkw@mail.gmail.com>
To: David Waite <david@alkaline-solutions.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, Daniel Fett <fett@danielfett.de>, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000491b9e057c94e560"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8CIldbPHuXDtQZ4Xu96E2WWFTcM>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Dec 2018 11:10:33 -0000
I think we are running in circles. I am not talking about what provides should do in an ideal world, I am describing something that some providers do today that can impact developers in unintended ways if not take into account. We can agree that in the ideal world providers would take steps to fix the situation, and we should encourage to do so; but in the meanwhile if we don't warn people of those potential issues, some people might end up having issues. Let me try to rephrase one more time to see if I manage to explain the issue I am concerned about here. If you don't issue refresh tokens, the problem I am discussing doesn't occur hence we can ignore that case. I think that the point getting lost is: if you issue refresh tokens, per the longer description in my mail many widely adopted providers will issue refresh tokens whose validity doesn't end when the auth session from which they originated is disposed of. I am not debating whether that's the way it should be or not: it's a reality developers need to deal with today and that they are powerless to change overnight. The result is that if SPA apps are instructed to use refresh tokens as a way of getting new tokens, as opposed to the usual implicit trick, they'll now have a mean to get new tokens that is NOT tied to the session. Whereas with implicit every app relying on the auth session with the AS instantly loses the ability to call APIs, if developers use refresh tokens that aren't revoked with the session (and as established, with some providers they might not have a choice) they will have to perform explicit steps to probe whether the auth session is still ongoing, and dispose of the RTs themselves when it's not. I already suggested how I think this could be handled in the document: either not using RTs in the browser at all (for this potential problem, plus the lack of support for rotating RTs, plus the discussions about the difficulties storing them in XSS resistant fashion), or if we advise using RTs at least giving specific warnings about this scenario (making sure that the RTs issued by the provider of choice are session bound, and if they aren't suggest to developers to take measures like deleting RTs explicitly upon deletion of the auth session w the AS).(*) This doesn't absolve the providers from aligning their capabilities to the bar the scenario requires, but at least saves developers from introducing new issues in their apps as they move away from implicit. Some specific notes: >Note that the session cookie is fulfilling the role of the refresh token in the second case. Yep. That's what I was suggesting with only retrieving the code in the hidden browser and prompt=none for background renewals, no strict need for RTs. Note that I'd *love* to be able to use RTs in the browser as it would work around the issues with ITP2; but it seems there are issues to iron out before they can be adopted mainstream, or at least more guidance is necessary than the one we've been giving so far. > Also note that telling a browser to discard the cookie is not as good as supporting revoking it - if there is no revocation mechanism, a third party who gets the cookie/refresh token can use it for as long as policy allows. Of course. I am not saying I don't want providers to support revocation, I am saying today some important ones do not today. The fact that the mitigation a developer can do when explicitly managing artifacts lifecycle isn't as good as the one the provider could eventually do doesn't mean it's worthless, especially when it's the only mitigation available. >I don’t expect application developers to use libraries that locally enforce more restrictive policy just because the operators of the AS aren’t doing their job setting appropriate policy for their clients. So this is really more of something that the AS needs to understand about their own policy. I don't understand this. Put yourself in the shoes of a developer using one of those providers. For those developers, the feature set of their AS is an externality- like the weather. They can make feature requests, fill survey, send angry tweets- but if their entire codebase depend on tokens issued by the AS and that AS only issues RTs with offline_access semantic, knowing that the identirati don't agree with that limitation won't help them one bit to update their app to code flow from implicit. Given that there are things we can tell them (*) to either sidestep the problem altogether, or at least handle it, I am not sure I understand the pushback on providing that level of clarity. On Sun, Dec 9, 2018 at 12:57 AM David Waite <david@alkaline-solutions.com> wrote: > > > On Dec 8, 2018, at 8:27 PM, Vittorio Bertocci < > Vittorio=40auth0.com@dmarc.ietf.org> wrote: > > > Can you give a concrete example? To me it feels like you are explaining > scenarios where OAuth is used for login. > > That's one of the scenarios of interest here. We can debate on whether > that's proper or not, but the practical consequence is that if I have two > (or N) apps that can call APIs via tokens obtained with the implicit flow, > eliminating AS the session cookie will prevent them from getting new tokens > automatically, without the developer having to write any code for "signout". > The moment in which apps switch to code and hold on to RTs, the sheer fact > that the AS session cookie is gone will NOT stop individual apps from being > able to get new access tokens and call API. > That would be an unintended consequence of the switch to code, and > regardless of whether it's a consequence of people abusing the protocol or > not, I think this scenario should be documented and people should be warned > against it. > > > The AS is ultimately responsible for the security policy, though - if the > AS policy isn’t supposed to allow my application access after the user hits > log out, it should either: > 1. Tie my application refresh tokens to be revoked at the logout event > 2. Not give out refresh tokens to my application > > Note that the session cookie is fulfilling the role of the refresh token > in the second case. Also note that telling a browser to discard the cookie > is not as good as supporting revoking it - if there is no revocation > mechanism, a third party who gets the cookie/refresh token can use it for > as long as policy allows. > > I don’t expect application developers to use libraries that locally > enforce more restrictive policy just because the operators of the AS aren’t > doing their job setting appropriate policy for their clients. So this is > really more of something that the AS needs to understand about their own > policy. > > -DW >
- [OAUTH-WG] OAuth Security Topics -- Recommend aut… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Mike Jones
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Aaron Parecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Mike Jones
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hans Zandbelt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Antonio Sanso
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Antonio Sanso
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… William Denniss
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Nat Sakimura
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… n-sakimura
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… William Denniss
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Petteri Stenius
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… William Denniss
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dave Tonge
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Willeke
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Aaron Parecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dominick Baier
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Marius Scurtescu
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Justin Richer
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nov Matake
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nov Matake
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brock Allen
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt