Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
George Fletcher <gffletch@aol.com> Thu, 04 April 2019 15:50 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E73D8120118 for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 08:50:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxllWwo1dNDi for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 08:50:54 -0700 (PDT)
Received: from sonic308-2.consmr.mail.bf2.yahoo.com (sonic308-2.consmr.mail.bf2.yahoo.com [74.6.130.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 779FA12007A for <oauth@ietf.org>; Thu, 4 Apr 2019 08:50:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1554393053; bh=Fuxka0SlO1tuZMxb0Pmu673Lujemo4c3gGounXaVLNg=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=ZfU03DvknaYmKdkS60tq2JiA3a1Fe7t6IRJi1JnCVEW2wmMsaWJw7TUkOr9jUvcCvtIw2QJJ47Xef1+BrpmGLRcx4BH3d7oFPJj9k6mR+U8wfGNHarAte9tQxdS0xPg0tC0bH3/USL8kSHkqsptbO/mAlSz0ZH+0mzN1+wgP36IYX84GRKz6dSakipNdfiH6qFK0Po56geI3o0P15v6xBcqNALpaMDZtxQkhj8CpOwvvdOQ4bVcWnhSsFHO4N26dlccZpbkYVEy8GonDIkAVZUXkwEvYFj9ejqNknqdzdDxaGWUAmVtuWcqfIaZ49QEp548I5pLos9Kc7O893qemqA==
X-YMail-OSG: 306pqM4VM1lj9pF22KaErZdcO2qMSmxcG6uA.Av_lP4YbqN4rajHyEFmJrqWvhh LghR66VGjSURAsf5z8hYsWYanKasSHf2rkctHtjZpxsxryEJ0e2VIbs.xoeO2fFlY_0OnIkAxckO 7t5B1akGtZRBI63W4DhIIEFuS.PZceoSpftJ_L9iyNEwkgUCmmsZBRam2tMUx2b7yutUB2geS9LK zHR.wkNo0SKqR6yBLDpVrF2VtZuzPHD7RgQkoTFK9I9iDGGCeXFnQTxLfkO_Ily6wu.kgPQewegq vYxuGVk3oh87IwlKWpeEYj0ziGFHLe.ftxzxiKxSxf_nYu7C_UaNjEZWNExx6NCS5VaCUevbo8vM 62vIA1XQ3CrXFocF1vEeWQ45tcHMXv9jxoW_lpKNerSQFU07TT8Gy8V3LrM4PbryoZH8BRuFy5uj SGdnpuqq6JD8wIViT5gu7wXwDAyjUbpBAiIvHkNOa_KyCsookG0kEC48wDStRSGTZrR5f08O2yxt tS5updaTCv9DxnuEC.fJlT5Y_abnb4Lxt45sd4ec_bQxDiu5UAggE2w7UzN4oyzNhV7tmyCKdp7u MqvXznBDvRa7vQRcCjMMx4XRBHIbk4QB8XqIUI8bfxWh64O3Dx2qAgGIPsTLLT53GPsGOOZ5wHea NV8GRQDUrLaSC83MruJ.AOigIOzzcGevKNx2QFXZUqPh666.AI1RKQdgIbqPMkG02PrIWCK5FInq uTkvwlJkSbxWKjGC.MyrpkWtSPuUfN.GAz7957S1Lx7N56F0ozoPGI51sRQDibaO0VPl1UGX7zIx ovYVPCAneGaeV2XwQgNoHufrAPu6122rqqlQhWveVPgmVFJVhipsB1Q9ihznKB0fmupUSyduMO2h _Y5513OwrS28QVZDMd_.4YOcigbTY7TXi9.vdn5fP8QSDV_ede1e76UleB.xIbaiotH6FO7BP5z0 Mc3Xz5KdclwkulCN3.uNRcZ.EC0DXDBvXrx2Otd0zoSuhcphxgi1p3wRxs_Gpteed4ddv4IwViP. Az3vAoCf6KtxO0SOVKS9us0jWmJ8lYVWwlwOa1KJ4f9esuFaXWE_SXRX6XMymyNcrvfoHNxiSzLN XE.RC5gjJeGIwbg--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.bf2.yahoo.com with HTTP; Thu, 4 Apr 2019 15:50:53 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp424.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 3ed5fa5f13e7aed81dd2f93f7809e1af; Thu, 04 Apr 2019 15:50:50 +0000 (UTC)
To: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Cc: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>, IETF oauth WG <oauth@ietf.org>
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <B755AE4D-2D10-4380-AC12-4B7A8F53B812@gmail.com> <CAO7Ng+siADYHEhr8gryPZ_6c50uQ3XxDM5inAFwgG+Xa0bnwfg@mail.gmail.com> <CA+iA6uhHOSmiSG_vxvad_g2ufi57OS4TxdvoO20g+7vm7rNZiA@mail.gmail.com> <CAO7Ng+vGC5ByU1wZrbNWvaZ+QuDByhJ8huw8UXVxfOCWQpaH1w@mail.gmail.com> <CA+iA6ujkEMdHPMn7JQLts7OAusV3ieKKMon572vTACtFvTGnrA@mail.gmail.com> <CAO_FVe73L7B-_7gu1W0N-mqLXHQExef4QKDeaWHrUmJnCCxCRg@mail.gmail.com> <D610AAEA-892F-4AAD-915D-A0C068F5BFD3@gmail.com> <CAO7Ng+sqzw4O2vt+iCWegBWBGg+-oyqV1j8dF7ADK2TbPec_CQ@mail.gmail.com> <CAHsNOKewL9xCFt6SsP4dz+W0CN_NUZaGMJahF7mSgos_Xbnhhw@mail.gmail.com> <CAO_FVe7c6jLRJ8mD7gw=a6NY3oZcgCh_b5dR8uRXa6Q2c2gmGg@mail.gmail.com> <CA+iA6uje229zrAos3c1TCuJEM+2vmVifNQ2FnKDuj2T4ET2SYA@mail.gmail.com> <a34edf0e-012a-ecc9-e547-3cdc61dca5a4@aol.com> <CA+iA6uh6Q901wEaqGSK7An0z0_iJTjCfvPVN44Qwpb=M_rDONg@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <239f40ab-da4d-03fe-4524-0b21a0bcc63e@aol.com>
Date: Thu, 04 Apr 2019 11:50:49 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CA+iA6uh6Q901wEaqGSK7An0z0_iJTjCfvPVN44Qwpb=M_rDONg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------E2773D1219BE218656E16BC9"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/EP3BqIwkl-uAjgi3lLd03W3rzxI>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 15:50:59 -0000
The more I think about this the more I land in the "No" camp. The subject of a token should be the principal of that token. It shouldn't matter whether that is a machine, a user, or a device. Trying to separate out "humans" as a special class will just make things more complicated. If we need a claim to identify the subject is a "human" then why not just add that. This doesn't break anything and makes it easy for people to detect this case in those use cases where it's required. Thanks, George On 4/3/19 4:56 PM, Hans Zandbelt wrote: > I will argue that in a way such deployments are already broken e.g. in > the typical use case of onboarding client accounts in the same > directory/OU/namespace as user accounts and we don't need to cater for > that. > > Hans. > > On Wed, Apr 3, 2019 at 10:48 PM George Fletcher <gffletch@aol.com > <mailto:gffletch@aol.com>> wrote: > > I agree that this will break a lot of existing flows... especially > those using any form of the client_credentials flow. In that sense > I'm not completely on board yet :) > > On 3/26/19 12:56 PM, Hans Zandbelt wrote: >> great summary! this will hurt quite a few existing m2m >> deployments but I do like the rigidness of it all: it is very >> explicit, cannot misinterpreted and thus prevents failure (which >> is really what Dominick is after); I'm on board >> >> Hans. >> >> On Tue, Mar 26, 2019 at 5:49 PM Vittorio Bertocci >> <Vittorio=40auth0.com@dmarc.ietf.org >> <mailto:40auth0.com@dmarc.ietf.org>> wrote: >> >> thank you Steinar and everyone else for the comments on this! >> To summarize the situation so far: Dominick, Steinar, Rob, >> David, Nov, Bertrand recommend using sub only for users. >> Martin would like to have the sub for app only flows as well. >> Hans is neutral. >> That does sound like the sub as user has more consensus, tho >> before changing it I'd wait for the people currently at >> IETF104 to have more time to comment as well. >> Clarification. If the goal is to be able to apply the logic >> "if there's a sub, it's a user flow", we have to explicitly >> disallow (MUST NOT) the use of sub when that's not the case. >> Are all OK with it? >> >> Dave, the suggestion of having explicit typing for app only >> vs user only is interesting! For the purpose of putting >> together an interoperable profile, tho, I would suggest we >> table it for v1 in the interest of getting to something easy >> to adopt (hence with small delta vs existing implementations) >> faster. >> >> On Tue, Mar 26, 2019 at 1:40 AM Steinar Noem >> <steinar@udelt.no <mailto:steinar@udelt.no>> wrote: >> >> Hi Vittorio, we (the national federation-gateway for the >> health services in norway - "HelseID") think his is a >> really valuable initiative! >> We also agree with Dominick concerning definition of the >> "sub" claim. >> >> <mvh>Steinar</mvh> >> >> tir. 26. mar. 2019 kl. 07:25 skrev Dominick Baier >> <dbaier@leastprivilege.com >> <mailto:dbaier@leastprivilege.com>>: >> >> From an access token consumer (aka API) developer >> point of view, I prefer this logic >> >> "If sub is present - client acts on behalf of a user, >> if not - not." >> >> Anything more complicated has a potential of going wrong. >> >> >> On 26. March 2019 at 01:34:53, Nov Matake >> (matake@gmail.com <mailto:matake@gmail.com>) wrote: >> >>> Hi Vittorio, >>> >>> Yeah, I’m concerning user & client ids collision. >>> I haven’t seen such implementations, but user-select >>> username as sub, or incremental integer as sub & >>> client_id will be easily collide. >>> >>> If you can enforce collision resistant IDs between >>> user & client instances, it’ll works fine. I feel >>> its overkill though. >>> >>> Sent from my iPhone >>> >>> On Mar 26, 2019, at 8:51, Vittorio Bertocci >>> <Vittorio@auth0.com <mailto:Vittorio@auth0.com>> wrote: >>> >>>> Hey Nov, Dominick, Hans- >>>> thanks for the comments. That was an area I was >>>> expecting to cause more discussion, and I am glad >>>> we are having this opportunity to clarify. >>>> The current language in the draft traces the >>>> etymology of sub to OpenID Connect core, hence >>>> Dominick observation is on point. However in the >>>> description I express something in line with 7519, >>>> which was in fact my intent. >>>> >>>> The idea was to provide an identifier of the >>>> calling subject that is guaranteed to be present in >>>> all cases- this would allow an SDK developer to use >>>> the same code for things like lookups and >>>> membership checks regardless of the nature of the >>>> caller (user in a delegated case, app in app-only >>>> grants). The information to discriminate between >>>> user and app callers is always available in the >>>> token (say, the caller is a user if sub!=client_id, >>>> where client_id is always guaranteed to be present >>>> as well) hence there's no loss in expressive power, >>>> should that difference be relevant for the resource >>>> server. >>>> >>>> Dominick, Hans- I probably missed the security >>>> issue you guys are thinking of in this case. Of >>>> course, if this would introduce a risk I completely >>>> agree it should be changed- I'd just like to >>>> understand better the problem. Could you expand it >>>> in a scenario/use case to clarify the risk? >>>> Nov- playing this back: is the concern that a user >>>> and a client might have the same identifier within >>>> an IDP? When using collision resistant IDs, as it >>>> is usually the case, that seems to be a remote >>>> possibility- did you stumble in such scenario in >>>> production? >>>> >>>> Thanks >>>> V. >>>> >>>> >>>> On Mon, Mar 25, 2019 at 7:44 AM Hans Zandbelt >>>> <hans.zandbelt@zmartzone.eu >>>> <mailto:hans.zandbelt@zmartzone.eu>> wrote: >>>> >>>> I believe there are plenty of OAuth 2.0 only >>>> use cases out there... but nevertheless I agree >>>> with the potential confusion and thus security >>>> problems arising from that (though one may >>>> argue the semantics are the same). >>>> >>>> Hans. >>>> >>>> On Mon, Mar 25, 2019 at 3:39 PM Dominick Baier >>>> <dbaier@leastprivilege.com >>>> <mailto:dbaier@leastprivilege.com>> wrote: >>>> >>>> Yes I know - and I think in hindsight it >>>> was a mistake to use the same claim type >>>> for multiple semantics. >>>> >>>> All the “this is OIDC not OAuth” arguments >>>> are making things more complicated than >>>> they need to be - in my experience almost >>>> no-one (that I know) does OIDC only - nor >>>> OAuth only. They always combine it. >>>> >>>> In reality this leads to potential security >>>> problems - this spec has the potential to >>>> rectify the situation. >>>> >>>> Dominick >>>> >>>> On 25. March 2019 at 14:58:56, Hans >>>> Zandbelt (hans.zandbelt@zmartzone.eu >>>> <mailto:hans.zandbelt@zmartzone.eu>) wrote: >>>> >>>>> Without agreeing or disagreeing: OIDC does >>>>> not apply here since it is not OAuth and >>>>> an access token is not an id_token. >>>>> The JWT spec says in >>>>> https://tools.ietf.org/html/rfc7519#section-4.1.2: >>>>> >>>>> "The "sub" (subject) claim identifies the >>>>> principal that is the >>>>> subject of the JWT. The claims in a JWT >>>>> are normally statements >>>>> about the subject. The subject value >>>>> MUST either be scoped to be >>>>> locally unique in the context of the >>>>> issuer or be globally unique. >>>>> The processing of this claim is generally >>>>> application specific" >>>>> >>>>> which kind of spells "client" in case of >>>>> the client credentials grant but I also do >>>>> worry about Resource Servers >>>>> thinking/acting only in terms of users >>>>> >>>>> Hans. >>>>> >>>>> On Mon, Mar 25, 2019 at 2:41 PM Dominick >>>>> Baier <dbaier@leastprivilege.com >>>>> <mailto:dbaier@leastprivilege.com>> wrote: >>>>> >>>>> IMHO the sub claim should always refer >>>>> to the user - and nothing else. >>>>> >>>>> OIDC says: >>>>> >>>>> "Subject - Identifier for the End-User >>>>> at the Issuer." >>>>> >>>>> client_id should be used to identify >>>>> clients. >>>>> >>>>> cheers >>>>> Dominick >>>>> >>>>> On 25.. March 2019 at 05:13:03, Nov >>>>> Matake (matake@gmail.com >>>>> <mailto:matake@gmail.com>) wrote: >>>>> >>>>>> Hi Vittorio, >>>>>> >>>>>> Thanks for the good starting point of >>>>>> standardizing JWT-ized AT. >>>>>> >>>>>> One feedback. >>>>>> The “sub” claim can include 2 types >>>>>> of identifier, end-user and client, >>>>>> in this spec. >>>>>> It requires those 2 types of >>>>>> identifiers to be unique each other >>>>>> in the IdP context. >>>>>> >>>>>> I prefer omitting “sub” claim in >>>>>> 2-legged context, so that no such >>>>>> constraint needed. >>>>>> >>>>>> thanks >>>>>> >>>>>> nov >>>>>> >>>>>>> On Mar 25, 2019, at 8:29, Vittorio >>>>>>> Bertocci >>>>>>> <vittorio.bertocci=40auth0.com@dmarc.ietf.org >>>>>>> <mailto:vittorio.bertocci=40auth0.com@dmarc.ietf.org>> >>>>>>> wrote: >>>>>>> >>>>>>> Dear all, >>>>>>> I just submitted a draft describing >>>>>>> a JWT profile for OAuth 2.0 access >>>>>>> tokens. You can find it in >>>>>>> https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/. >>>>>>> I have a slot to discuss this >>>>>>> tomorrow at IETF 104 (I'll be >>>>>>> presenting remotely). I look forward >>>>>>> for your comments! >>>>>>> >>>>>>> Here's just a bit of backstory, in >>>>>>> case you are interested in how this >>>>>>> doc came to be. The trajectory it >>>>>>> followed is somewhat unusual. >>>>>>> >>>>>>> * Despite OAuth2 not requiring any >>>>>>> specific format for ATs, through >>>>>>> the years I have come across >>>>>>> multiple proprietary solution >>>>>>> using JWT for their access >>>>>>> token. The intent and scenarios >>>>>>> addressed by those solutions are >>>>>>> mostly the same across vendors, >>>>>>> but the syntax and >>>>>>> interpretations in the >>>>>>> implementations are different >>>>>>> enough to prevent developers >>>>>>> from reusing code and skills >>>>>>> when moving from product to product. >>>>>>> * I asked several individuals from >>>>>>> key products and services to >>>>>>> share with me concrete examples >>>>>>> of their JWT access tokens >>>>>>> (THANK YOU Dominick Baier >>>>>>> (IdentityServer), Brian Campbell >>>>>>> (PingIdentity), Daniel Dobalian >>>>>>> (Microsoft), Karl Guinness >>>>>>> (Okta) for the tokens and >>>>>>> explanations!). >>>>>>> I studied and compared all those >>>>>>> instances, identifying >>>>>>> commonalities and differences. >>>>>>> * I put together a presentation >>>>>>> summarizing my findings and >>>>>>> suggesting a rough interoperable >>>>>>> profile (slides: >>>>>>> https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx >>>>>>> <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx> >>>>>>> ) - got early feedback from >>>>>>> Filip Skokan on it. Thx Filip! >>>>>>> * The presentation was followed up >>>>>>> by 1.5 hours of unconference >>>>>>> discussion, which was incredibly >>>>>>> valuable to get tight-loop >>>>>>> feedback and incorporate new >>>>>>> ideas. John Bradley, Brian >>>>>>> Campbell Vladimir Dzhuvinov, >>>>>>> Torsten Lodderstedt, Nat >>>>>>> Sakimura, Hannes Tschofenig were >>>>>>> all there and contributed >>>>>>> generously to the discussion. >>>>>>> Thank you!!! >>>>>>> Note: if you were at OSW2019, >>>>>>> participated in the discussion >>>>>>> and didn't get credited in the >>>>>>> draft, my apologies: please send >>>>>>> me a note and I'll make things >>>>>>> right at the next update. >>>>>>> * On my flight back I did my best >>>>>>> to incorporate all the ideas and >>>>>>> feedback in a draft, which will >>>>>>> be discussed at IETF104 >>>>>>> tomorrow. Rifaat, Hannes and >>>>>>> above all Brian were all super >>>>>>> helpful in negotiating the >>>>>>> mysterious syntax of the RFC >>>>>>> format and submission process. >>>>>>> >>>>>>> I was blown away by the >>>>>>> availability, involvement and >>>>>>> willingness to invest time to get >>>>>>> things right that everyone >>>>>>> demonstrated in the process. This is >>>>>>> an amazing community. >>>>>>> V. >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> >>>>> >>>>> -- >>>>> hans.zandbelt@zmartzone.eu >>>>> <mailto:hans.zandbelt@zmartzone.eu> >>>>> ZmartZone IAM - www.zmartzone.eu >>>>> <http://www.zmartzone.eu> >>>> >>>> >>>> >>>> -- >>>> hans.zandbelt@zmartzone.eu >>>> <mailto:hans.zandbelt@zmartzone.eu> >>>> ZmartZone IAM - www.zmartzone.eu >>>> <http://www.zmartzone.eu> >>>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> -- >> Vennlig hilsen >> >> Steinar Noem >> Partner Udelt AS >> Systemutvikler >> | steinar@udelt.no <mailto:steinar@udelt..no> | >> hei@udelt.no <mailto:hei@udelt.no> | +47 955 21 620 | >> www.udelt.no <http://www.udelt.no/> | >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> -- >> hans.zandbelt@zmartzone.eu <mailto:hans.zandbelt@zmartzone.eu> >> ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > > > > -- > hans.zandbelt@zmartzone.eu <mailto:hans.zandbelt@zmartzone.eu> > ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu>
- [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Nov Matake
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Pedro Igor Silva
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… CARLIER Bertrand
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… donald.coffin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Nov Matake
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dave Tonge
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Rob Otto
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Steinar Noem
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dave Tonge
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Binningsbø
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Benjamin Kaduk
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… David Waite
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Mike Jones
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Mike Jones
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Binningsbø
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Karl McGuinness
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Neil Madden
- [OAUTH-WG] OAuth security topics Neil Madden
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Neil Madden
- Re: [OAUTH-WG] OAuth security topics Hannes Tschofenig
- [OAUTH-WG] Off Topic: oauth-bounces Neil Madden
- Re: [OAUTH-WG] OAuth security topics Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth security topics Neil Madden
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] Off Topic: oauth-bounces Benjamin Kaduk
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Neil Madden
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth security topics Torsten Lodderstedt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth security topics Neil Madden