Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authorization Request (JAR) vs OIDC request object
Mike Jones <Michael.Jones@microsoft.com> Wed, 15 January 2020 21:27 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCA7612098E for <oauth@ietfa.amsl.com>; Wed, 15 Jan 2020 13:27:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0CrPqMkLHC9R for <oauth@ietfa.amsl.com>; Wed, 15 Jan 2020 13:27:40 -0800 (PST)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640137.outbound.protection.outlook.com [40.107.64.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD48C12097F for <oauth@ietf.org>; Wed, 15 Jan 2020 13:27:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Jo/e+R6shsrDot1QIJb9xuDzMfH60OBaQqCvdTA3tsdbNrWc70aZBpN9yrqfSqfrBa/Yvsm50kEzVKqaVP6JDgwaL0iQqZ7EiJSTToNEjrl1NbENmRwcQDr+fY+yEkHp7gpVnSbz1eBDUIiI0Rj6UpPAccdGFyo9bg2e1pO48rTCkKiMnitY2xT7oMmWNeQ2HpgOWqXlhmn2QydPg6OOP2Hdh0YBcP/z9NYRvoTrBRNFxstFjrLurtuATiRGncLpj8cg7hb2UW8G2KO3Q2Cr7/+prssM2JzjywKKQhqOm6nWZ3bKlZ74J9gx+zxiZ/g4kQdYWBZtQGKtMqmtSLdk/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t/t3mArVHSUyGNYnOTbwTE6fyAT2lHcughXE5RbshMM=; b=Zh2PFIa8QZywgGx8UC4EMmg/5+OpJaKLX/7D0Ed6Ew9gD+rPXVpwqxyJORFHGwAAkFLKOFQwhg/+0L3IDZW8ngphp0wYN1pz2pPRVpFbC3yExOQn8Bs42x0+BHDvGxcxolNleMJ9s4nSd9u1LJBlp1mss9Pe4sKNjBdjodF2G/gl2L9CRejPSXKy8C1VXA6t9lmlbP9dVcMnzPqzBJO3Fpz/IEpUpGg+ml2P6EnSRVxdiSDFLHpYkcv4idXUTcAmpPLtwM6ryZ1odbsuMq6xpaDxy4l5ihFeV5ce5LuRiyYbLtVxVf8UvN4+n1bHr6/DALgf6q8QWpAPPdKsKl+YMQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t/t3mArVHSUyGNYnOTbwTE6fyAT2lHcughXE5RbshMM=; b=M44bxBKg3n8bpapbsaQOr9EgMCrBb+oDj0/HEtFt9eHHGlK+uGrIwVJt1VJqoIDMU40dvJ83NdL/K4FI8+u9UcfDYb8EMRvASdxFQmGSdufomzdPWufblwJhUU6x7jzH6kmmgSn19t8rXaJwW486jZ1NSzZjQgg+uM2+z2fxvWs=
Received: from CH2PR00MB0679.namprd00.prod.outlook.com (20.180.16.71) by CH2PR00MB0794.namprd00.prod.outlook.com (10.186.139.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2684.0; Wed, 15 Jan 2020 21:27:38 +0000
Received: from CH2PR00MB0679.namprd00.prod.outlook.com ([fe80::bc12:5826:ded6:299]) by CH2PR00MB0679.namprd00.prod.outlook.com ([fe80::bc12:5826:ded6:299%5]) with mapi id 15.20.2671.000; Wed, 15 Jan 2020 21:27:38 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>, Takahiko Kawasaki <taka@authlete.com>
CC: John Bradley <ve7jtb@ve7jtb.com>, IETF oauth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authorization Request (JAR) vs OIDC request object
Thread-Index: AQHVyv76Tgq69ACZJ0qRRkD+fK3CnqfsODiAgAAGkSA=
Date: Wed, 15 Jan 2020 21:27:38 +0000
Message-ID: <CH2PR00MB0679453419D7494476B21DFDF5370@CH2PR00MB0679.namprd00.prod.outlook.com>
References: <fc3805e5-e908-00db-a734-990721371ab2@connect2id.com> <79C4475C-FDEB-42C8-8A44-7BFE4DBF9453@gmail.com> <110a95d9-2981-6d2b-9cbf-9658be3585cc@connect2id.com> <CAANoGhK0-n6V_RogvVZ=8J8AQCEUUVJQn4_7wSWYixeQM8aZsw@mail.gmail.com> <CH2PR00MB0843D5044E11E0F4CE5F5D09F53B0@CH2PR00MB0843.namprd00.prod.outlook.com> <CAANoGhJB4mYSFiWKt3T=cObH7uCW0s3Zpv2m92+YaAY2Oy4mqw@mail.gmail.com> <2aca5c38-bb20-497e-14ed-f4a9245a9439@connect2id.com> <7baae999-47c1-f749-6c51-f45022ab1a3d@ve7jtb.com> <3d9ffc74-6c9c-48a1-0c98-65a7465e8dbc@connect2id.com> <CAHdPCmNHeUyDjrc32oQPZ5g3oars-XY3vq2p3qt2LzzkZMTw5w@mail.gmail.com> <89345e9b-8191-f01d-71a6-453ec197796f@connect2id.com>
In-Reply-To: <89345e9b-8191-f01d-71a6-453ec197796f@connect2id.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=5cf92803-4e58-4f11-9ed9-00000b322440; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-01-15T21:26:03Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [2001:4898:80e8:f:63b8:5fb2:5e31:1cf3]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 5116299f-7506-4a21-9d25-08d79a01bec6
x-ms-traffictypediagnostic: CH2PR00MB0794:
x-microsoft-antispam-prvs: <CH2PR00MB079476450DE58DE48259B80DF5370@CH2PR00MB0794.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-forefront-prvs: 02830F0362
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(346002)(376002)(136003)(396003)(39860400002)(366004)(189003)(199004)(33656002)(10290500003)(86362001)(478600001)(7696005)(66556008)(64756008)(76116006)(66446008)(66476007)(66946007)(53546011)(5660300002)(4326008)(966005)(71200400001)(6506007)(54906003)(8936002)(9686003)(81166006)(110136005)(55016002)(52536014)(81156014)(2906002)(8676002)(66574012)(316002)(186003)(8990500004); DIR:OUT; SFP:1102; SCL:1; SRVR:CH2PR00MB0794; H:CH2PR00MB0679.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FFPgv6tSM//qckuY72f/dl/vGX9mfRAIyJFCqfCzFqSOmrTCPgJPWdDSZd4cbk+bXEEOLXXxbr+VeDWiHjn1nsN/Lbw2nkq6pp48W0R5BLTNTzLTp+SF0zSpVvq4RDe0ZjZaUMfQJkuaM3lmf5kc8oya1h97jVe064n+2+Fp+U54SBFp2C+kYM548rYPPArbHnWOcH7H58tRchVA0RLCx9lffpHtjWTXzrmiawHTwkEf0hTJeMHsiTPRAgOe7neM+mS4L8DbHOCGBlAoiXrYX2VmH9Ak4ERcCcjGyUCBMMbvmZv6zHbTJM3Fsg6yx/JERVUzDN2TNxXE2H9Qg5wEXPbbIFZpg2XznuRiNY8A9Ei8ERR/3uFkG5+1O9Id4TrDZ9xuogKa5QPZFLOG84baa5lMBKyBZggCtGR2igDQeSkreVemdBeeYTDZomAz+VSu4Eql+qwvs1aqQN1PFQiydYmmzF8YWS7x43X2wcpK3+I=
x-ms-exchange-antispam-messagedata: L240Hc4qWdNCeZw6hCW7UPW1fxtu/56wThScBQbqlVVQ8EMHxlLBkEMRVbtPfN85ivl0be9Ap2pSOOfudMgeAgnouA/uMpTdAN1NiYDSdOON+UCx/a2+S1NYZKig5JYtuDkzdaJKiFRU8CUtO2I/2PlIwQyVIWM2gDNwLeISdGlmtZ3FQX+11oIbAHxCvnZjlumH4GfIC1npA/GBRxniGw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CH2PR00MB0679453419D7494476B21DFDF5370CH2PR00MB0679namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5116299f-7506-4a21-9d25-08d79a01bec6
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jan 2020 21:27:38.1093 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NKcyVx1UFOoDbOTBmkrehX2Aatzi+3VAnwgWoz112AsZQOHeghdNH4dbWfZbcTd1aHiD77TrmENwOuLg6l6flg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR00MB0794
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8b90qb4JwRyvipKi1TUDWaatRVo>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authorization Request (JAR) vs OIDC request object
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2020 21:27:43 -0000
I’m increasingly thinking that we should push back on the IESG and go back to the semantics that the working group approved. We can use the client_id example with an encrypted request object to motivate the (Connect-compatible) syntax and semantics. -- Mike From: Vladimir Dzhuvinov <vladimir@connect2id.com> Sent: Wednesday, January 15, 2020 1:03 PM To: Takahiko Kawasaki <taka@authlete.com> Cc: John Bradley <ve7jtb@ve7jtb.com>; Mike Jones <Michael.Jones@microsoft.com>; IETF oauth WG <oauth@ietf.org> Subject: Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authorization Request (JAR) vs OIDC request object On 14/01/2020 19:20, Takahiko Kawasaki wrote: Well, embedding a client_id claim in the JWE header in order to achieve "request parameters outside the request object should not be referred to" is like "putting the cart before the horse". Why do we have to avoid using the traditional client_id request parameter so stubbornly? The last paragraph of Section 3.2.1<https://tools.ietf.org/html/rfc6749#section-3.2.1> of RFC 6749 says as follows. A client MAY use the "client_id" request parameter to identify itself when sending requests to the token endpoint. In the "authorization_code" "grant_type" request to the token endpoint, an unauthenticated client MUST send its "client_id" to prevent itself from inadvertently accepting a code intended for a client with a different "client_id". This protects the client from substitution of the authentication code. (It provides no additional security for the protected resource.) If the same reasoning applies, a client_id must always be sent with request / request_uri because client authentication is not performed at the authorization endpoint. In other words, an unauthenticated client (every client is unauthenticated at the authorization endpoint) MUST send its "client_id" to prevent itself from inadvertently accepting a request object for a client with a different "client_id". Identifying the client in JAR request_uri requests can be really useful so that an AS which requires request_uri registration to prevent DDoS attacks and other checks can do those without having to index all request_uris individually. I mentioned this before. I really wonder what the reasoning of the IESG reviewers was to insist on no params outside the JAR JWT / request_uri. I'm beginning to realise this step of the review process isn't particularly transparent to WG members. Vladimir Best Regards, Taka On Tue, Jan 14, 2020 at 12:57 AM Vladimir Dzhuvinov <vladimir@connect2id.com<mailto:vladimir@connect2id.com>> wrote: John, thanks, much appreciated! On 11/01/2020 21:36, John Bradley wrote: Yes JAR is not prohibiting paramater replication in the header. I will see if i can add something in final edits to call that out. John B. On 1/11/2020 6:16 AM, Vladimir Dzhuvinov wrote: Thanks Mike for the rfc7519 section-5.3<https://tools.ietf.org/html/rfc7519#section-5.3> pointer. Can this parameter replication be used for client_id or the client_id ass "iss" even though it isn't explicitly mentioned in the JAR spec? On 11/01/2020 02:58, John Bradley wrote: Right we just don't say to put the iss there in OIDC if it's symetricly encrypted. OIDC doesn't have the symmetric key selection issue, I suppose that why the possibility to replicate params to the JWE header isn't mentioned at all. OIDC requires the top-level query params to represent a valid OAuth 2.0 request, and there client_id is required. If the client_id is present the client registration together with any present client_secret can be retrieved. I reread the JAR spec, this is the only place that mentions handling of symmetric JWE. https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20#section-10.2 (b) Verifying that the symmetric key for the JWE encryption is the correct one if the JWE is using symmetric encryption. Vladimir On Fri, Jan 10, 2020, 9:41 PM Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote: The technique of replicating JWT claims that need to be publicly visible in an encrypted JWT in the header is defined at https://tools.ietf.org/html/rfc7519#section-5.3. (Thanks to Dick Hardt for bringing this need to my attention as we were finishing the JWT spec.) -- Mike From: OAuth <oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>> On Behalf Of John Bradley Sent: Friday, January 10, 2020 2:15 PM To: Vladimir Dzhuvinov <vladimir@connect2id.com<mailto:vladimir@connect2id.com>> Cc: IETF oauth WG <oauth@ietf.org<mailto:oauth@ietf.org>> Subject: [EXTERNAL] Re: [OAUTH-WG] JWT Secured Authorization Request (JAR) vs OIDC request object The intent was to do that, but specs change once the OAuth WG and IESG get there hands on them. Being backwards compatible with OIDC is not a compelling argument to the IESG. We were mostly thinking of asymmetric encryption. Specifying puting the issuer and or the audience in the headder has come up in the past but probably is not documented. John B On Fri, Jan 10, 2020, 6:29 PM Vladimir Dzhuvinov <vladimir@connect2id.com<mailto:vladimir@connect2id.com>> wrote: Yes, putting the client_id into the JWE header is a way around the need to have the client_id outside the JWE as top-level authZ request parameter. Unfortunately this work around isn't mentioned anywhere, I just checked the most recent draft-ietf-oauth-jwsreq-20. Our DDoS attack mitigation (for OIDC request_uri) also relies on the presence of client_id as top-level parameter, together with requiring RPs to register their request_uri's (so that we don't need to build and store an index of all request_uri's). I just had a look at "DDoS Attack on the Authorization Server" and also realised the request_uri registration isn't explicitly mentioned as attack prevention ("the server should (a) check that the value of "request_uri" parameter does not point to an unexpected location"). https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20#section-10.4.1<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-jwsreq-20%23section-10.4.1&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cc470d4ec4bd14d481c0f08d7961a8abb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637142913068793193&sdata=%2FvHVp68SN5CAHimqZ5jx93aOCIruxqLCRMUFCc5DSxc%3D&reserved=0> To be honest, I feel quite bad about the situation with JAR we are in now. For some reason I had the impression that OAuth JAR was going to be the OIDC request / request_uri for general OAuth 2.0 use, as with other OIDC bits that later became general purpose OAuth 2.0 specs. I find it unfortunate I didn't notice this when I was reviewing the spec in the past. Vladimir On 10/01/2020 22:39, Filip Skokan wrote: > Vladimir, > > For that very case the payload claims may be repeated in the JWE protected header. An implementation wanting to handle this may look for iss/client_id there. > > Odesláno z iPhonu > >> 10. 1. 2020 v 21:19, Vladimir Dzhuvinov <vladimir@connect2id.com<mailto:vladimir@connect2id.com>>: >> >> I just realised there is one class of JARs where it's practially >> impossible to process the request if merge isn't supported: >> >> The client submits a JAR encrypted (JWT) with a shared key. OIDC allows >> for that and specs a method for deriving the shared key from the >> client_secret: >> >> https://openid.net/specs/openid-connect-core-1_0.html#Encryption<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23Encryption&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cc470d4ec4bd14d481c0f08d7961a8abb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637142913068793193&sdata=soK9t7pzu504iILuDNFnG%2BMLxZPP2pN6ugEJ4ZOpqd4%3D&reserved=0> >> >> If the JAR is encrypted with the client_secret, and there is no >> top-level client_id parameter, there's no good way for the OP to find >> out which client_secret to get to try to decrypt the JWE. Unless the OP >> keeps an index of all issued client_secret's. >> >> >> OP servers which require request_uri registration >> (require_request_uri_registration=true) and don't want to index all >> registered request_uri's, also have no good way to process a request_uri >> if the client_id isn't present as top-level parameter. >> >> >> Vladimir >> >> >>> On 10/01/2020 20:13, Torsten Lodderstedt wrote: >>> >>>>> Am 10.01.2020 um 16:53 schrieb John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>: >>>> I think Torsten is speculating that is not a feature people use. >>> I’m still trying to understand the use case for merging signed and unsigned parameters. Nat once explained a use case, where a client uses parameters signed by a 3rd party (some „certification authority“) in combination with transaction-specific parameters. Is this being done in the wild? >>> >>> PS: PAR would work with both modes. _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cc470d4ec4bd14d481c0f08d7961a8abb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637142913068803145&sdata=kobH%2FsGT7ElSSUCJvu%2FbiAqnRCXx%2B4SZNJsrL%2FCuVyc%3D&reserved=0> _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth -- Vladimir Dzhuvinov
- Re: [OAUTH-WG] JWT Secured Authorization Request … Torsten Lodderstedt
- Re: [OAUTH-WG] JWT Secured Authorization Request … John Bradley
- [OAUTH-WG] JWT Secured Authorization Request (JAR… Filip Skokan
- Re: [OAUTH-WG] JWT Secured Authorization Request … Torsten Lodderstedt
- Re: [OAUTH-WG] JWT Secured Authorization Request … Filip Skokan
- Re: [OAUTH-WG] JWT Secured Authorization Request … Brian Campbell
- Re: [OAUTH-WG] JWT Secured Authorization Request … Filip Skokan
- Re: [OAUTH-WG] JWT Secured Authorization Request … Filip Skokan
- Re: [OAUTH-WG] JWT Secured Authorization Request … Brian Campbell
- Re: [OAUTH-WG] JWT Secured Authorization Request … Torsten Lodderstedt
- Re: [OAUTH-WG] JWT Secured Authorization Request … Takahiko Kawasaki
- Re: [OAUTH-WG] JWT Secured Authorization Request … Nat Sakimura
- Re: [OAUTH-WG] JWT Secured Authorization Request … Dominick Baier
- Re: [OAUTH-WG] JWT Secured Authorization Request … John Bradley
- Re: [OAUTH-WG] JWT Secured Authorization Request … Nat Sakimura
- Re: [OAUTH-WG] JWT Secured Authorization Request … Takahiko Kawasaki
- Re: [OAUTH-WG] JWT Secured Authorization Request … Justin Richer
- Re: [OAUTH-WG] JWT Secured Authorization Request … Takahiko Kawasaki
- Re: [OAUTH-WG] JWT Secured Authorization Request … Justin Richer
- Re: [OAUTH-WG] JWT Secured Authorization Request … Vladimir Dzhuvinov
- Re: [OAUTH-WG] JWT Secured Authorization Request … n-sakimura
- Re: [OAUTH-WG] JWT Secured Authorization Request … Filip Skokan
- Re: [OAUTH-WG] JWT Secured Authorization Request … Takahiko Kawasaki
- Re: [OAUTH-WG] JWT Secured Authorization Request … Justin Richer
- Re: [OAUTH-WG] JWT Secured Authorization Request … John Bradley
- Re: [OAUTH-WG] JWT Secured Authorization Request … Justin Richer
- Re: [OAUTH-WG] JWT Secured Authorization Request … John Bradley
- Re: [OAUTH-WG] JWT Secured Authorization Request … Torsten Lodderstedt
- Re: [OAUTH-WG] JWT Secured Authorization Request … Vladimir Dzhuvinov
- Re: [OAUTH-WG] JWT Secured Authorization Request … Filip Skokan
- Re: [OAUTH-WG] JWT Secured Authorization Request … Vladimir Dzhuvinov
- Re: [OAUTH-WG] JWT Secured Authorization Request … John Bradley
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Mike Jones
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… John Bradley
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… John Bradley
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Takahiko Kawasaki
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Mike Jones
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Benjamin Kaduk
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Benjamin Kaduk
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Benjamin Kaduk
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Dominick Baier
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… John Bradley
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Benjamin Kaduk
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Nat Sakimura
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Neil Madden
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Nat Sakimura
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Joseph Heenan
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Benjamin Kaduk
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Benjamin Kaduk
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Justin Richer
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Richard Backman, Annabelle
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Jim Manico
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Richard Backman, Annabelle
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Justin Richer
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Brian Campbell
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Joseph Heenan
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Benjamin Kaduk
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Benjamin Kaduk
- Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authori… Neil Madden
- [OAUTH-WG] Fwd: [EXTERNAL] Re: JWT Secured Author… John Bradley
- Re: [OAUTH-WG] Fwd: [EXTERNAL] Re: JWT Secured Au… Nat Sakimura
- Re: [OAUTH-WG] JWT Secured Authorization Request … Mike Jones
- Re: [OAUTH-WG] JWT Secured Authorization Request … Joseph Heenan
- Re: [OAUTH-WG] Fwd: [EXTERNAL] Re: JWT Secured Au… Filip Skokan
- Re: [OAUTH-WG] JWT Secured Authorization Request … Brian Campbell
- Re: [OAUTH-WG] JWT Secured Authorization Request … George Fletcher
- Re: [OAUTH-WG] JWT Secured Authorization Request … Nat Sakimura
- Re: [OAUTH-WG] JWT Secured Authorization Request … Vladimir Dzhuvinov
- Re: [OAUTH-WG] JWT Secured Authorization Request … Rob Otto