[OAUTH-WG] Assisted token flow
Travis Spencer <travis.spencer@curity.io> Sun, 18 March 2018 08:16 UTC
Return-Path: <travis.spencer@curity.io>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FCD9127010 for <oauth@ietfa.amsl.com>; Sun, 18 Mar 2018 01:16:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y7uADq8kWHji for <oauth@ietfa.amsl.com>; Sun, 18 Mar 2018 01:16:10 -0700 (PDT)
Received: from mail-ot0-x235.google.com (mail-ot0-x235.google.com [IPv6:2607:f8b0:4003:c0f::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82BDE124BFA for <oauth@ietf.org>; Sun, 18 Mar 2018 01:16:10 -0700 (PDT)
Received: by mail-ot0-x235.google.com with SMTP id i28-v6so9736254otf.8 for <oauth@ietf.org>; Sun, 18 Mar 2018 01:16:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity-io.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=dSs6o6xorZ+11EL54wutO6+DrHmf9RPAw0IoPFxGzmk=; b=oAlnWtbXsHYkoqQuerDgZUIN4ZjFRsc4eluAcUI/teUfT6tqk9R0xX4RUks8Hz3hMg +glNhIIyLau8W5AqFmfM4C7d52omcndYeqGine+uX7mWkcqB3Xxof6OmZmXqZZrNyM1/ kFyIKU3zHUA3rttLFTrXAItkU5Z3DCHb1Jz4D+URxY1CoZZOY9BEeSekNSAzjrGA6llG C9Tr1RNc93Et6V7dSjR15Nl+f3tU2KqBW1zTsJakpEvymeHBCbntt4zUGFu3DLXRCVCs zoc6vTHmWjlvvq+nDHNqRvxEI/t7w1LjiS2jqAn5jm5ovkLfGoAfakvg1g9K4HfCMPCl 4pLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=dSs6o6xorZ+11EL54wutO6+DrHmf9RPAw0IoPFxGzmk=; b=d2T6KoNovQG76H9RG9OcJ3tpJ4Jc3CpNiWH+JLP/UZdqEzf4xdn+AaJgprIBiAbrjV RZL7RUOaKBGhxluz2j8AVf0UszgxPRnLl+MUnRh0A06ap2N20NJF3pm9iNFh239q1hJA aSKBktNi3u5KYhOpoyIpW9drJquDB0C5bKsCqGfr+eba9C0kZH6YvZy3ImOJjP4DXlRU nToL9IpcBtE69Y6qo18ZdPAm9vHoIPNkA9CjsqpyNgsnO3v1FGAIRzxhzu35nEcVVRcZ 2sRQiyoBb6S9iviEMJchOg8e0iAaSrYvGS8zY+DROsUs+CxGmcKCAMgQU4BngUApnS1I wvYg==
X-Gm-Message-State: AElRT7F+4QYSOaFNdKm4p/Y8jnNN1g1veM/xiYIXZmuE46hOyVQY6nlK cSUAhUVzR4zpuC19U+oVfk405yeIC2IV8KrOqa3n6GHY8ZY=
X-Google-Smtp-Source: AG47ELs9sfrQNkeQc+hEqK2HStI33s35H45NQ88kvpqikmDR8PHYpZCtyHZuMNqbX44hA5eN/G0KsUG0tnvt3uEySzk=
X-Received: by 2002:a9d:b5a:: with SMTP id p26-v6mr4773423otd.290.1521360969886; Sun, 18 Mar 2018 01:16:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.70.135 with HTTP; Sun, 18 Mar 2018 01:15:49 -0700 (PDT)
From: Travis Spencer <travis.spencer@curity.io>
Date: Sun, 18 Mar 2018 09:15:49 +0100
Message-ID: <CAEKOcs3MY0d77954JcROf8_D_-vKMLcy4Dh9HGTTNhbnX4p6fw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ADxqCoK1xRpyJrfrhLWIhI---c0>
Subject: [OAUTH-WG] Assisted token flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 08:16:12 -0000
Good Morning All, We have submitted a draft of our "assisted token flow", which my colleague, Jacob Ideskog, presented at the OAuth Security Workshop in Zurich last summer.[1] The submission can be found here: https://datatracker.ietf.org/doc/draft-ideskog-assisted-token/ Some more detailed slides explaining the protocol can be found at [2]. There are a couple open source examples on GitHub as well.[3][4] Mark Dobrinc and myself will be at the IETF event in London Monday through Wednesday. If anyone has interest and time, we would love to talk more about this. We can give a demo as well; just grab us. We're eager to receive feedback on this new proposal, and hope to discuss more in London. -- Regards, Travis Spencer [1] https://zisc.ethz.ch/oauth-security-workshop-2017/ [2] https://zisc.ethz.ch/wp-content/uploads/2017/02/ideskog_assisted-token.pdf [3] https://github.com/curityio/react-assisted-token-website [4] https://github.com/curityio/angular-assisted-token-website
- [OAUTH-WG] Assisted token flow Travis Spencer