Re: [OAUTH-WG] OAuth Digest, Vol 174, Issue 47
M basheer Babar <talal.jugnu@gmail.com> Sun, 30 April 2023 10:57 UTC
Return-Path: <talal.jugnu@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AB55C1524B6 for <oauth@ietfa.amsl.com>; Sun, 30 Apr 2023 03:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IEhd6RgK5zY3 for <oauth@ietfa.amsl.com>; Sun, 30 Apr 2023 03:57:40 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4F3DC1524DC for <oauth@ietf.org>; Sun, 30 Apr 2023 03:57:40 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-50bc3088b7aso744921a12.3 for <oauth@ietf.org>; Sun, 30 Apr 2023 03:57:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682852259; x=1685444259; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=5C0uSS9Mbf5LWZTosqWwCWP/F+EQUno76I3vV1eorvI=; b=cCkfwHoBdEtKjfo+BRJvWKPbdi/M3My5u1l50zS4osZeVHsdoEYGAvs8RHJw7Adhb0 F2bPLrJiKI/wnZUl81u/kR1cmBD2HtB74K+sts3nefNyrFZwmvqOHYR2DKGwoeuiFYFa YSo4mDu/B1Ttk8LYoTozLWaFq8bLeTscrUW5stYrEOEXDG7uQeoRVp6nZnXLISlWyH6u dLcHFGzLwMzAJk0VFQDn4POViLsJXVSZaiRl9xrR1W2uqt9zcJditmIXVpVB2Fj40O5T ZxHKxkenVNwJcn1v2qlPTfrfDo9gskHO5D9x0tpOfBBBQCEW+YrKWwmVJVoX+somR8Qz GtyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682852259; x=1685444259; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=5C0uSS9Mbf5LWZTosqWwCWP/F+EQUno76I3vV1eorvI=; b=GQtZtXQbd8ho/HyK69Q12QdZd138nbChWixdHV7mOuVt+FalLWaeVH+kHbx3SpSfll Jh5Pk3ZqvAQDKH25izal10mshZjD/ZYJnXdwNWxvA1ZIuwr6Cww3RzQ7lj2NU0PkNH+F Cx3u2G8UanJVrHJhABoziPKgnf8Tw0CI5qd+KcrZc5kUmaLJHV8tfFKp7nUSg7JtHtS5 ezmaxUJEymG813rYgFMRPWXF0VTBRcZ+4P0yDjh0Vv1uKfHaAkSlIVbGShb3pA7pu6g4 bhxlw5YLJkHERFnzH+GQ0apIYBUkmOvbG36LM1Gs5rg8pUjaJpvYQl+uSkv6qEdyK7e1 zlww==
X-Gm-Message-State: AC+VfDwpQLagqL2Ky33gDUAPP2KvX1Ts7F7HdBYEjGSC6YhAnLmdKGsD qGWuOd0ll1L8wSKQRYiNkTVSKJFCQPlgKXjzoMVlCNgMgck=
X-Google-Smtp-Source: ACHHUZ7+fzVGdNlEpsH3RT3DoTLRCkXtMN0iYnEQtWFKrX8FLxr8Ny2jOrz88Oo4RPQpnpotgiCi1Roy/qQix12q/bg=
X-Received: by 2002:aa7:cd02:0:b0:50b:c308:7b4f with SMTP id b2-20020aa7cd02000000b0050bc3087b4fmr1287358edw.17.1682852258479; Sun, 30 Apr 2023 03:57:38 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.53.1682794803.43319.oauth@ietf.org>
In-Reply-To: <mailman.53.1682794803.43319.oauth@ietf.org>
From: M basheer Babar <talal.jugnu@gmail.com>
Date: Sun, 30 Apr 2023 15:57:26 +0500
Message-ID: <CA+o8u81SQqr3wgi6QH=XV9yDsLx9RkSv22orvh=AGFB2DwuDpw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000013846c05fa8b9344"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/E-J-nBkCgQ0PmyWnlHHUKikMyDI>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 174, Issue 47
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Apr 2023 10:57:45 -0000
https://surprisinglystaunchdemocratic.com/vmcgjtva4?key=eaff90a62179f2f5184419223192d723 On Sun, 30 Apr 2023, 12:01 AM , <oauth-request@ietf.org> wrote: > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth > or, via email, send a message with subject or body 'help' to > oauth-request@ietf.org > > You can reach the person managing the list at > oauth-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > > Today's Topics: > > 1. Protocol Action: 'OAuth 2.0 Demonstrating Proof-of-Possession > at the Application Layer (DPoP)' to Proposed Standard > (draft-ietf-oauth-dpop-16.txt) (The IESG) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 28 Apr 2023 15:11:44 -0700 > From: The IESG <iesg-secretary@ietf.org> > To: "IETF-Announce" <ietf-announce@ietf.org> > Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-dpop@ietf.org, > oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, > rfc-editor@rfc-editor.org, rifaat.s.ietf@gmail.com > Subject: [OAUTH-WG] Protocol Action: 'OAuth 2.0 Demonstrating > Proof-of-Possession at the Application Layer (DPoP)' to Proposed > Standard (draft-ietf-oauth-dpop-16.txt) > Message-ID: <168271990429.49518.565437942085290907@ietfa.amsl.com> > Content-Type: text/plain; charset="utf-8" > > The IESG has approved the following document: > - 'OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer > (DPoP)' > (draft-ietf-oauth-dpop-16.txt) as Proposed Standard > > This document is the product of the Web Authorization Protocol Working > Group. > > The IESG contact persons are Paul Wouters and Roman Danyliw. > > A URL of this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > > > > > Technical Summary > > This document describes a mechanism for sender-constraining OAuth 2.0 > tokens via a proof-of-possession mechanism on the application level. > This mechanism allows for the detection of replay attacks with access > and refresh tokens. > > Working Group Summary > > A large number of people reviewed the document over several rounds of > reviews > and provided feedback during meetings and on the mailing list, with no > blocking comments. > > Important clarifications to the document were made based on IETF LC. > > Document Quality > > There are a number of implementations: > > * The OpenID Foundation FAPI2 certification tools have implementations of / > tests > for (most of) DPoP as both an AS/RS & client. > > * Authlete has implemented DPoP as an AS / RS. > > * The Italian Attribute Authorization Infrastructure has an implementation > > https://docs.google.com/document/d/11KQPEs7sln7DbxLN7r7q3j2PymBSrYNlx5o-W3xHQsw/edit# > > * liboauth2 library used in OAuth 2.0 Resource Server modules for > Apache/NGINX > (mod_oauth2/ngx_oauth2_module) > https://github.com/zmartzone/liboauth2/blob/v1.4.5/src/dpop.c#L331-L441 > > * OSS Nimbus OAuth 2.0 / OIDC Java SDK > > https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/examples/oauth/dpop > > * c2id server > https://connect2id.com/products/server/docs/datasheet#dpop > > * Synamedia has implemented DPoP in OTT ServiceGuard - Advanced anti-piracy > security for OTT video services, that includes a secure client library > providing DPoP generation capabilities to an integrating application. > Synamedia > also supports DPoP as part of Synamedia Go ? using an Integrated OTT > ServiceGuard library in its clients and DPoP validation in its services to > provide a secure modular platform for OTT video services. > > * European Anti-Fraud Office (OLAF) defined a B2B solution for private > clients > based on the DPoP draft version 03. The solution describes the behavior of > the > Relying Party and the Resource Server. Implemented both RP and RS in JAVA > extending the Spring Framework to add the needed functionalities. > > * Keycloak: https://www.keycloak.org/ > DPoP status: work in progress (tentatively Keycloak 22) > > * Solid > Servers: > - Community Solid Server (opensource): > https://github.com/CommunitySolidServer/CommunitySolidServer - Enterprise > Solid > Server (commercial): > https://www.inrupt.com/products/enterprise-solid-server > > Client libraries: > - JavaScript: https://github.com/inrupt/solid-client-authn-js/ > - Java: https://github.com/janeirodigital/sai-authentication-java > > Note about Solid: it seems that they are following an older version of the > draft, and have some added behaviour not specified by the draft > > Personnel > > - Document Shepherd: Rifaat Shekh-Yusef > - Responsible Area Director: Roman Danyliw > > > > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ------------------------------ > > End of OAuth Digest, Vol 174, Issue 47 > ************************************** >
- Re: [OAUTH-WG] OAuth Digest, Vol 174, Issue 47 M basheer Babar