IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

George Fletcher <gffletch@aol.com> Thu, 04 April 2019 15:50 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E73D8120118 for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 08:50:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxllWwo1dNDi for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 08:50:54 -0700 (PDT)
Received: from sonic308-2.consmr.mail.bf2.yahoo.com (sonic308-2.consmr.mail.bf2.yahoo.com [74.6.130.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 779FA12007A for <oauth@ietf.org>; Thu, 4 Apr 2019 08:50:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1554393053; bh=Fuxka0SlO1tuZMxb0Pmu673Lujemo4c3gGounXaVLNg=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=ZfU03DvknaYmKdkS60tq2JiA3a1Fe7t6IRJi1JnCVEW2wmMsaWJw7TUkOr9jUvcCvtIw2QJJ47Xef1+BrpmGLRcx4BH3d7oFPJj9k6mR+U8wfGNHarAte9tQxdS0xPg0tC0bH3/USL8kSHkqsptbO/mAlSz0ZH+0mzN1+wgP36IYX84GRKz6dSakipNdfiH6qFK0Po56geI3o0P15v6xBcqNALpaMDZtxQkhj8CpOwvvdOQ4bVcWnhSsFHO4N26dlccZpbkYVEy8GonDIkAVZUXkwEvYFj9ejqNknqdzdDxaGWUAmVtuWcqfIaZ49QEp548I5pLos9Kc7O893qemqA==
X-YMail-OSG: 306pqM4VM1lj9pF22KaErZdcO2qMSmxcG6uA.Av_lP4YbqN4rajHyEFmJrqWvhh LghR66VGjSURAsf5z8hYsWYanKasSHf2rkctHtjZpxsxryEJ0e2VIbs.xoeO2fFlY_0OnIkAxckO 7t5B1akGtZRBI63W4DhIIEFuS.PZceoSpftJ_L9iyNEwkgUCmmsZBRam2tMUx2b7yutUB2geS9LK zHR.wkNo0SKqR6yBLDpVrF2VtZuzPHD7RgQkoTFK9I9iDGGCeXFnQTxLfkO_Ily6wu.kgPQewegq vYxuGVk3oh87IwlKWpeEYj0ziGFHLe.ftxzxiKxSxf_nYu7C_UaNjEZWNExx6NCS5VaCUevbo8vM 62vIA1XQ3CrXFocF1vEeWQ45tcHMXv9jxoW_lpKNerSQFU07TT8Gy8V3LrM4PbryoZH8BRuFy5uj SGdnpuqq6JD8wIViT5gu7wXwDAyjUbpBAiIvHkNOa_KyCsookG0kEC48wDStRSGTZrR5f08O2yxt tS5updaTCv9DxnuEC.fJlT5Y_abnb4Lxt45sd4ec_bQxDiu5UAggE2w7UzN4oyzNhV7tmyCKdp7u MqvXznBDvRa7vQRcCjMMx4XRBHIbk4QB8XqIUI8bfxWh64O3Dx2qAgGIPsTLLT53GPsGOOZ5wHea NV8GRQDUrLaSC83MruJ.AOigIOzzcGevKNx2QFXZUqPh666.AI1RKQdgIbqPMkG02PrIWCK5FInq uTkvwlJkSbxWKjGC.MyrpkWtSPuUfN.GAz7957S1Lx7N56F0ozoPGI51sRQDibaO0VPl1UGX7zIx ovYVPCAneGaeV2XwQgNoHufrAPu6122rqqlQhWveVPgmVFJVhipsB1Q9ihznKB0fmupUSyduMO2h _Y5513OwrS28QVZDMd_.4YOcigbTY7TXi9.vdn5fP8QSDV_ede1e76UleB.xIbaiotH6FO7BP5z0 Mc3Xz5KdclwkulCN3.uNRcZ.EC0DXDBvXrx2Otd0zoSuhcphxgi1p3wRxs_Gpteed4ddv4IwViP. Az3vAoCf6KtxO0SOVKS9us0jWmJ8lYVWwlwOa1KJ4f9esuFaXWE_SXRX6XMymyNcrvfoHNxiSzLN XE.RC5gjJeGIwbg--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.bf2.yahoo.com with HTTP; Thu, 4 Apr 2019 15:50:53 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp424.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 3ed5fa5f13e7aed81dd2f93f7809e1af; Thu, 04 Apr 2019 15:50:50 +0000 (UTC)
To: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Cc: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>, IETF oauth WG <oauth@ietf.org>
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <B755AE4D-2D10-4380-AC12-4B7A8F53B812@gmail.com> <CAO7Ng+siADYHEhr8gryPZ_6c50uQ3XxDM5inAFwgG+Xa0bnwfg@mail.gmail.com> <CA+iA6uhHOSmiSG_vxvad_g2ufi57OS4TxdvoO20g+7vm7rNZiA@mail.gmail.com> <CAO7Ng+vGC5ByU1wZrbNWvaZ+QuDByhJ8huw8UXVxfOCWQpaH1w@mail.gmail.com> <CA+iA6ujkEMdHPMn7JQLts7OAusV3ieKKMon572vTACtFvTGnrA@mail.gmail.com> <CAO_FVe73L7B-_7gu1W0N-mqLXHQExef4QKDeaWHrUmJnCCxCRg@mail.gmail.com> <D610AAEA-892F-4AAD-915D-A0C068F5BFD3@gmail.com> <CAO7Ng+sqzw4O2vt+iCWegBWBGg+-oyqV1j8dF7ADK2TbPec_CQ@mail.gmail.com> <CAHsNOKewL9xCFt6SsP4dz+W0CN_NUZaGMJahF7mSgos_Xbnhhw@mail.gmail.com> <CAO_FVe7c6jLRJ8mD7gw=a6NY3oZcgCh_b5dR8uRXa6Q2c2gmGg@mail.gmail.com> <CA+iA6uje229zrAos3c1TCuJEM+2vmVifNQ2FnKDuj2T4ET2SYA@mail.gmail.com> <a34edf0e-012a-ecc9-e547-3cdc61dca5a4@aol.com> <CA+iA6uh6Q901wEaqGSK7An0z0_iJTjCfvPVN44Qwpb=M_rDONg@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <239f40ab-da4d-03fe-4524-0b21a0bcc63e@aol.com>
Date: Thu, 04 Apr 2019 11:50:49 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CA+iA6uh6Q901wEaqGSK7An0z0_iJTjCfvPVN44Qwpb=M_rDONg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------E2773D1219BE218656E16BC9"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/EP3BqIwkl-uAjgi3lLd03W3rzxI>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 15:50:59 -0000

The more I think about this the more I land in the "No" camp.

The subject of a token should be the principal of that token. It 
shouldn't matter whether that is a machine, a user, or a device. Trying 
to separate out "humans" as a special class will just make things more 
complicated. If we need a claim to identify the subject is a "human" 
then why not just add that. This doesn't break anything and makes it 
easy for people to detect this case in those use cases where it's required.

Thanks,
George

On 4/3/19 4:56 PM, Hans Zandbelt wrote:
> I will argue that in a way such deployments are already broken e.g. in 
> the typical use case of onboarding client accounts in the same 
> directory/OU/namespace as user accounts and we don't need to cater for 
> that.
>
> Hans.
>
> On Wed, Apr 3, 2019 at 10:48 PM George Fletcher <gffletch@aol.com 
> <mailto:gffletch@aol.com>> wrote:
>
>     I agree that this will break a lot of existing flows... especially
>     those using any form of the client_credentials flow. In that sense
>     I'm not completely on board yet :)
>
>     On 3/26/19 12:56 PM, Hans Zandbelt wrote:
>>     great summary! this will hurt quite a few existing m2m
>>     deployments but I do like the rigidness of it all: it is very
>>     explicit, cannot misinterpreted and thus prevents failure (which
>>     is really what Dominick is after); I'm on board
>>
>>     Hans.
>>
>>     On Tue, Mar 26, 2019 at 5:49 PM Vittorio Bertocci
>>     <Vittorio=40auth0.com@dmarc.ietf.org
>>     <mailto:40auth0.com@dmarc.ietf.org>> wrote:
>>
>>         thank you Steinar and everyone else for the comments on this!
>>         To summarize the situation so far: Dominick, Steinar, Rob,
>>         David, Nov, Bertrand recommend using sub only for users.
>>         Martin would like to have the sub for app only flows as well.
>>         Hans is neutral.
>>         That does sound like the sub as user has more consensus, tho
>>         before changing it I'd wait for the people currently at
>>         IETF104 to have more time to comment as well.
>>         Clarification. If the goal is to be able to apply the logic
>>         "if there's a sub, it's a user flow", we have to explicitly
>>         disallow (MUST NOT) the use of sub when that's not the case.
>>         Are all OK with it?
>>
>>         Dave, the suggestion of having explicit typing for app only
>>         vs user only is interesting! For the purpose of putting
>>         together an interoperable profile, tho, I would suggest we
>>         table it for v1 in the interest of getting to something easy
>>         to adopt (hence with small delta vs existing implementations)
>>         faster.
>>
>>         On Tue, Mar 26, 2019 at 1:40 AM Steinar Noem
>>         <steinar@udelt.no <mailto:steinar@udelt.no>> wrote:
>>
>>             Hi Vittorio, we  (the national federation-gateway for the
>>             health services in norway - "HelseID")  think his is a
>>             really valuable initiative!
>>             We also agree with Dominick concerning definition of the
>>             "sub" claim.
>>
>>             <mvh>Steinar</mvh>
>>
>>             tir. 26. mar. 2019 kl. 07:25 skrev Dominick Baier
>>             <dbaier@leastprivilege.com
>>             <mailto:dbaier@leastprivilege.com>>:
>>
>>                 From an access token consumer (aka API) developer
>>                 point of view, I prefer this logic
>>
>>                 "If sub is present - client acts on behalf of a user,
>>                 if not - not."
>>
>>                 Anything more complicated has a potential of going wrong.
>>
>>
>>                 On 26. March 2019 at 01:34:53, Nov Matake
>>                 (matake@gmail.com <mailto:matake@gmail.com>) wrote:
>>
>>>                 Hi Vittorio,
>>>
>>>                 Yeah, I’m concerning user & client ids collision.
>>>                 I haven’t seen such implementations, but user-select
>>>                 username as sub, or incremental integer as sub &
>>>                 client_id will be easily collide.
>>>
>>>                 If you can enforce collision resistant IDs between
>>>                 user & client instances, it’ll works fine. I feel
>>>                 its overkill though.
>>>
>>>                 Sent from my iPhone
>>>
>>>                 On Mar 26, 2019, at 8:51, Vittorio Bertocci
>>>                 <Vittorio@auth0.com <mailto:Vittorio@auth0.com>> wrote:
>>>
>>>>                 Hey Nov, Dominick, Hans-
>>>>                 thanks for the comments. That was an area I was
>>>>                 expecting to cause more discussion, and I am glad
>>>>                 we are having this opportunity to clarify.
>>>>                 The current language in the draft traces the
>>>>                 etymology of sub to OpenID Connect core, hence
>>>>                 Dominick observation is on point. However in the
>>>>                 description I express something in line with 7519,
>>>>                 which was in fact my intent.
>>>>
>>>>                 The idea was to provide an identifier of the
>>>>                 calling subject that is guaranteed to be present in
>>>>                 all cases- this would allow an SDK developer to use
>>>>                 the same code for things like lookups and
>>>>                 membership checks regardless of the nature of the
>>>>                 caller (user in a delegated case, app in app-only
>>>>                 grants). The information to discriminate between
>>>>                 user and app callers is always available in the
>>>>                 token (say, the caller is a user if sub!=client_id,
>>>>                 where client_id is always guaranteed to be present
>>>>                 as well) hence there's no loss in expressive power,
>>>>                 should that difference be relevant for the resource
>>>>                 server.
>>>>
>>>>                 Dominick, Hans- I probably missed the security
>>>>                 issue you guys are thinking of in this case. Of
>>>>                 course, if this would introduce a risk I completely
>>>>                 agree it should be changed- I'd just like to
>>>>                 understand better the problem. Could you expand it
>>>>                 in a scenario/use case to clarify the risk?
>>>>                 Nov- playing this back: is the concern that a user
>>>>                 and a client might have the same identifier within
>>>>                 an IDP? When using collision resistant IDs, as it
>>>>                 is usually the case, that seems to be a remote
>>>>                 possibility- did you stumble in such scenario in
>>>>                 production?
>>>>
>>>>                 Thanks
>>>>                 V.
>>>>
>>>>
>>>>                 On Mon, Mar 25, 2019 at 7:44 AM Hans Zandbelt
>>>>                 <hans.zandbelt@zmartzone.eu
>>>>                 <mailto:hans.zandbelt@zmartzone.eu>> wrote:
>>>>
>>>>                     I believe there are plenty of OAuth 2.0 only
>>>>                     use cases out there... but nevertheless I agree
>>>>                     with the potential confusion and thus security
>>>>                     problems arising from that (though one may
>>>>                     argue the semantics are the same).
>>>>
>>>>                     Hans.
>>>>
>>>>                     On Mon, Mar 25, 2019 at 3:39 PM Dominick Baier
>>>>                     <dbaier@leastprivilege.com
>>>>                     <mailto:dbaier@leastprivilege.com>> wrote:
>>>>
>>>>                         Yes I know - and I think in hindsight it
>>>>                         was a mistake to use the same claim type
>>>>                         for multiple semantics.
>>>>
>>>>                         All the “this is OIDC not OAuth” arguments
>>>>                         are making things more complicated than
>>>>                         they need to be - in my experience almost
>>>>                         no-one (that I know) does OIDC only - nor
>>>>                         OAuth only. They always combine it.
>>>>
>>>>                         In reality this leads to potential security
>>>>                         problems - this spec has the potential to
>>>>                         rectify the situation.
>>>>
>>>>                         Dominick
>>>>
>>>>                         On 25. March 2019 at 14:58:56, Hans
>>>>                         Zandbelt (hans.zandbelt@zmartzone.eu
>>>>                         <mailto:hans.zandbelt@zmartzone.eu>) wrote:
>>>>
>>>>>                         Without agreeing or disagreeing: OIDC does
>>>>>                         not apply here since it is not OAuth and
>>>>>                         an access token is not an id_token.
>>>>>                         The JWT spec says in
>>>>>                         https://tools.ietf.org/html/rfc7519#section-4.1.2:
>>>>>
>>>>>                         "The "sub" (subject) claim identifies the
>>>>>                         principal that is the
>>>>>                          subject of the JWT.  The claims in a JWT
>>>>>                         are normally statements
>>>>>                          about the subject.  The subject value
>>>>>                         MUST either be scoped to be
>>>>>                          locally unique in the context of the
>>>>>                         issuer or be globally unique.
>>>>>                          The processing of this claim is generally
>>>>>                         application specific"
>>>>>
>>>>>                         which kind of spells "client" in case of
>>>>>                         the client credentials grant but I also do
>>>>>                         worry about Resource Servers
>>>>>                         thinking/acting only in terms of users
>>>>>
>>>>>                         Hans.
>>>>>
>>>>>                         On Mon, Mar 25, 2019 at 2:41 PM Dominick
>>>>>                         Baier <dbaier@leastprivilege.com
>>>>>                         <mailto:dbaier@leastprivilege.com>> wrote:
>>>>>
>>>>>                             IMHO the sub claim should always refer
>>>>>                             to the user - and nothing else.
>>>>>
>>>>>                             OIDC says:
>>>>>
>>>>>                             "Subject - Identifier for the End-User
>>>>>                             at the Issuer."
>>>>>
>>>>>                             client_id should be used to identify
>>>>>                             clients.
>>>>>
>>>>>                             cheers
>>>>>                             Dominick
>>>>>
>>>>>                             On 25.. March 2019 at 05:13:03, Nov
>>>>>                             Matake (matake@gmail.com
>>>>>                             <mailto:matake@gmail.com>) wrote:
>>>>>
>>>>>>                             Hi Vittorio,
>>>>>>
>>>>>>                             Thanks for the good starting point of
>>>>>>                             standardizing JWT-ized AT.
>>>>>>
>>>>>>                             One feedback.
>>>>>>                             The “sub” claim can include 2 types
>>>>>>                             of identifier, end-user and client,
>>>>>>                             in this spec.
>>>>>>                             It requires those 2 types of
>>>>>>                             identifiers to be unique each other
>>>>>>                             in the IdP context.
>>>>>>
>>>>>>                             I prefer omitting “sub” claim in
>>>>>>                             2-legged context, so that no such
>>>>>>                             constraint needed.
>>>>>>
>>>>>>                             thanks
>>>>>>
>>>>>>                             nov
>>>>>>
>>>>>>>                             On Mar 25, 2019, at 8:29, Vittorio
>>>>>>>                             Bertocci
>>>>>>>                             <vittorio.bertocci=40auth0.com@dmarc.ietf.org
>>>>>>>                             <mailto:vittorio.bertocci=40auth0.com@dmarc.ietf.org>>
>>>>>>>                             wrote:
>>>>>>>
>>>>>>>                             Dear all,
>>>>>>>                             I just submitted a draft describing
>>>>>>>                             a JWT profile for OAuth 2.0 access
>>>>>>>                             tokens. You can find it in
>>>>>>>                             https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/.
>>>>>>>                             I have a slot to discuss this
>>>>>>>                             tomorrow at IETF 104 (I'll be
>>>>>>>                             presenting remotely). I look forward
>>>>>>>                             for your comments!
>>>>>>>
>>>>>>>                             Here's just a bit of backstory, in
>>>>>>>                             case you are interested in how this
>>>>>>>                             doc came to be. The trajectory it
>>>>>>>                             followed is somewhat unusual.
>>>>>>>
>>>>>>>                               * Despite OAuth2 not requiring any
>>>>>>>                                 specific format for ATs, through
>>>>>>>                                 the years I have come across
>>>>>>>                                 multiple proprietary solution
>>>>>>>                                 using JWT for their access
>>>>>>>                                 token. The intent and scenarios
>>>>>>>                                 addressed by those solutions are
>>>>>>>                                 mostly the same across vendors,
>>>>>>>                                 but the syntax and
>>>>>>>                                 interpretations in the
>>>>>>>                                 implementations are different
>>>>>>>                                 enough to prevent developers
>>>>>>>                                 from reusing code and skills
>>>>>>>                                 when moving from product to product.
>>>>>>>                               * I asked several individuals from
>>>>>>>                                 key products and services to
>>>>>>>                                 share with me concrete examples
>>>>>>>                                 of their JWT access tokens
>>>>>>>                                 (THANK YOU Dominick Baier
>>>>>>>                                 (IdentityServer), Brian Campbell
>>>>>>>                                 (PingIdentity), Daniel Dobalian
>>>>>>>                                 (Microsoft), Karl Guinness
>>>>>>>                                 (Okta) for the tokens and
>>>>>>>                                 explanations!).
>>>>>>>                                 I studied and compared all those
>>>>>>>                                 instances, identifying
>>>>>>>                                 commonalities and differences.
>>>>>>>                               * I put together a presentation
>>>>>>>                                 summarizing my findings and
>>>>>>>                                 suggesting a rough interoperable
>>>>>>>                                 profile (slides:
>>>>>>>                                 https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx
>>>>>>>                                 <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx>
>>>>>>>                                 ) - got early feedback from
>>>>>>>                                 Filip Skokan on it. Thx Filip!
>>>>>>>                               * The presentation was followed up
>>>>>>>                                 by 1.5 hours of unconference
>>>>>>>                                 discussion, which was incredibly
>>>>>>>                                 valuable to get tight-loop
>>>>>>>                                 feedback and incorporate new
>>>>>>>                                 ideas. John Bradley, Brian
>>>>>>>                                 Campbell Vladimir Dzhuvinov,
>>>>>>>                                 Torsten Lodderstedt, Nat
>>>>>>>                                 Sakimura, Hannes Tschofenig were
>>>>>>>                                 all there and contributed
>>>>>>>                                 generously to the discussion.
>>>>>>>                                 Thank you!!!
>>>>>>>                                 Note: if you were at OSW2019,
>>>>>>>                                 participated in the discussion
>>>>>>>                                 and didn't get credited in the
>>>>>>>                                 draft, my apologies: please send
>>>>>>>                                 me a note and I'll make things
>>>>>>>                                 right at the next update.
>>>>>>>                               * On my flight back I did my best
>>>>>>>                                 to incorporate all the ideas and
>>>>>>>                                 feedback in a draft, which will
>>>>>>>                                 be discussed at IETF104
>>>>>>>                                 tomorrow. Rifaat, Hannes and
>>>>>>>                                 above all Brian were all super
>>>>>>>                                 helpful in negotiating the
>>>>>>>                                 mysterious syntax of the RFC
>>>>>>>                                 format and submission process.
>>>>>>>
>>>>>>>                             I was blown away by the
>>>>>>>                             availability, involvement and
>>>>>>>                             willingness to invest time to get
>>>>>>>                             things right that everyone
>>>>>>>                             demonstrated in the process. This is
>>>>>>>                             an amazing community.
>>>>>>>                             V.
>>>>>>>                             _______________________________________________
>>>>>>>                             OAuth mailing list
>>>>>>>                             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>>                             https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>>                             _______________________________________________
>>>>>>                             OAuth mailing list
>>>>>>                             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>                             https://www.ietf.org/mailman/listinfo/oauth
>>>>>                             _______________________________________________
>>>>>                             OAuth mailing list
>>>>>                             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>                             https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>>
>>>>>                         --
>>>>>                         hans.zandbelt@zmartzone.eu
>>>>>                         <mailto:hans.zandbelt@zmartzone.eu>
>>>>>                         ZmartZone IAM - www.zmartzone.eu
>>>>>                         <http://www.zmartzone.eu>
>>>>
>>>>
>>>>
>>>>                     --
>>>>                     hans.zandbelt@zmartzone.eu
>>>>                     <mailto:hans.zandbelt@zmartzone.eu>
>>>>                     ZmartZone IAM - www.zmartzone.eu
>>>>                     <http://www.zmartzone.eu>
>>>>
>>                 _______________________________________________
>>                 OAuth mailing list
>>                 OAuth@ietf.org <mailto:OAuth@ietf.org>
>>                 https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>             -- 
>>             Vennlig hilsen
>>
>>             Steinar Noem
>>             Partner Udelt AS
>>             Systemutvikler
>>             | steinar@udelt.no <mailto:steinar@udelt..no> |
>>             hei@udelt.no <mailto:hei@udelt.no>  | +47 955 21 620 |
>>             www.udelt.no <http://www.udelt.no/> |
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>     -- 
>>     hans.zandbelt@zmartzone.eu <mailto:hans.zandbelt@zmartzone.eu>
>>     ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> -- 
> hans.zandbelt@zmartzone.eu <mailto:hans.zandbelt@zmartzone.eu>
> ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu>

v2.23.0 | Report a Bug | By Email