Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
Warren Parad <wparad@rhosys.ch> Sun, 14 February 2021 20:59 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D06F3A0AF3 for <oauth@ietfa.amsl.com>; Sun, 14 Feb 2021 12:59:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.187
X-Spam-Level:
X-Spam-Status: No, score=-0.187 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q8F3m3ZOLX8l for <oauth@ietfa.amsl.com>; Sun, 14 Feb 2021 12:59:39 -0800 (PST)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32DD53A0AE5 for <oauth@ietf.org>; Sun, 14 Feb 2021 12:59:39 -0800 (PST)
Received: by mail-il1-x133.google.com with SMTP id e7so3937279ile.7 for <oauth@ietf.org>; Sun, 14 Feb 2021 12:59:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0m5h+OPqhRDOxLUXUQ/kEZevNnpKGTEbd0l0Yqwqbrs=; b=AnL2hIDAfoIiQuW4GeWO7QMdmvVnuvvYYRpr++hVO7F3lXQbsG98Kjz3g+eDcJqJlH EBV/x0s0J1cF3UPFxhLpkKNukgBJD0tlEZwdstGHsTwjlxhYEgTpR/OGoM425rNJewUq qVH/73yMsRaJWR7HDnb6N4phXSlLBv7MhvX7J9DU9sU6jjB9pVvzjBc+/V6mS6eDxvSi NiXInn/M6ZDBM+xsVoSptGO/8FfvSieDGFLuh8EBi1NjrgcNJbXjT4e0FCn3P7fnxpVf se8oHfD4EJzBFjcatzwy4xRpn95HDzmiQFq/edCqWKsnk8UHnOqk7DzlmsIKGt+H7kfB E3FQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0m5h+OPqhRDOxLUXUQ/kEZevNnpKGTEbd0l0Yqwqbrs=; b=S+zo7a4OvSW8xPN8gjzxvjq81OhCc4yEoABpO15PntwviXORiDdDYIkrJMxQxMCFYK gxTCO+aun3V++AcanVpjV/3cDP8O2UpnM/7lTujUcQnnSpuoiCUH7SEd057iBWmaU7HD 1qzin/Sjtp4+lCbfCEK5i+e2rnwI5pLvxh/pZv8ww0CPkKxMdBki7dcS2CRecmfhtgih 6l8F2va26JVsRCD77FaFpMrte2k68/70kaKmn1LnjWQ3eNHEA7Qs8BNvqJHMv+B2EKE4 eW6llUBk34zmX2gtOlzaCYgynUjG9v0swYcAdz2HjpRQwPIjriZi5dP7L9Y7yP13j1HN 5jvQ==
X-Gm-Message-State: AOAM533PGNNIMgte1zhC0VQPzr9swvw7/qp95G/OVZgK31nM/2AlXiDP weA+R8uudedHZLGRvz6XF5lm0zTGI/wjfG4C4sg3BvmM7Asqx5nUiw==
X-Google-Smtp-Source: ABdhPJzio1HTHbBsENx7iDGuy2KJnq/tnvzpcuVPqAjLley8clX4Eq2O8QQqaOIC4K2Y/Bqd+X4JAgxXRCtesf0ZoU0=
X-Received: by 2002:a05:6e02:1d0e:: with SMTP id i14mr9771371ila.69.1613336378113; Sun, 14 Feb 2021 12:59:38 -0800 (PST)
MIME-Version: 1.0
References: <CO6PR18MB4052805653BFECD35E8A0E66AE8B9@CO6PR18MB4052.namprd18.prod.outlook.com> <C741095F-8350-4531-BFA4-4AAE929C08C3@forgerock.com> <CO6PR18MB4052C7D49F34DDFCA1687D63AE899@CO6PR18MB4052.namprd18.prod.outlook.com> <CAJot-L3EvdZeFO78YAtnh=kABAv8JR_rhZNTgV0u3ZW1eU8Lmg@mail.gmail.com> <CO6PR18MB405252DBE4E8235AAD829067AE899@CO6PR18MB4052.namprd18.prod.outlook.com> <CAJot-L0y5YAioQOCEMMjpounGNuX1j=BkWYRQMdhmzQeLZEuwg@mail.gmail.com> <CO6PR18MB4052378AF13E3AAA9743DA0AAE899@CO6PR18MB4052.namprd18.prod.outlook.com> <CAJot-L1E4QWyTwgisfJVK61XY2cFuCHvZHADrpxwzdyM-DCgHA@mail.gmail.com> <CO6PR18MB4052B7B005A1CA1F3AACF417AE899@CO6PR18MB4052.namprd18.prod.outlook.com>
In-Reply-To: <CO6PR18MB4052B7B005A1CA1F3AACF417AE899@CO6PR18MB4052.namprd18.prod.outlook.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Sun, 14 Feb 2021 21:59:27 +0100
Message-ID: <CAJot-L2xkfcu-i0c0qR_uh3xn9WAN65kw3vSzwG7sJHra4XiTQ@mail.gmail.com>
To: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>
Cc: Neil Madden <neil.madden@forgerock.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b8991c05bb522592"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FGbS4QlMOXHgDSwVFEq1_eg0mKo>
Subject: Re: [OAUTH-WG] Token Mediating and session Information Backend For Frontend (TMI BFF)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Feb 2021 20:59:43 -0000
> > To restate, the TMI-BFF proposal is not trying to fix any of that... it’s > definitely not a top level driver. Great, then we are back to: what is the top level driver. Because, while I appreciate the circumstances around ITP2.1~ as I fully understand how identity providers like Auth0 are using iframes and thirdparty cookies, this problem vanishes with the use of first-party domains. So let's skip the digression and assume we aren't solving ITP future related issues. The real problem I have with the draft is that it essentially suggests that every app needs to run a BFF to do user token generation because an AS is no longer afforded the capability for some reason. If we pull in expecting to solve ITP related issues then I think that justification is in play and we can work together to come up with a solution, rather than starting with the current deleterious prevalent pattern on the internet (which honestly is the most ridiculous paradigm I have seen). If we don't assume ITP is an issue, then I fail to see the core problem that existing AS have (as you pointed out code+PKCE already works) without the front channel or back channel needing really to make any additional changes. I assume there is a flaw in my reasoning somewhere, so please help me find it. - Warren Warren Parad Founder, CTO On Sun, Feb 14, 2021 at 9:20 PM Vittorio Bertocci <vittorio.bertocci= 40auth0.com@dmarc.ietf.org> wrote: > Let me rewind a bit here. This was never presented as driving use case. > > > > - Neil suggested that the backend could simply give short lived JTWs > for the frontent to call API. > - I clarified that this would not be viable in the general case and > provided an example scenario where backend issued short lived tokens would > not have worked > - You commented that the frontend can obtain AS tokens from JS and > mentioned silent authentication. I clarified (or tried to) that this > offshoot of the discussion wasn’t to say that there is no viable way of > doing the scenario already, and by the way using an iFrame to do silent > authentication is now problematic. At this point we are no longer > discussing TMI-BFF, but current affairs in the authentication world. The > fact that we are proposing TMI-BFF and the fact that silent authentication > is less and less viable are independent facts, the former isn’t meant to be > a solution for the latter (it’s already addressed by using RTs in coke+PKCE) > > > > That clarified. Not only we expect ITP to affect silent authentication, it > has been affected for the past year and that has been one of the primary > business drivers for the rapid adoption of code+PKCE+RTs in the user agent, > as customers with pure SPAs found themselves unable to renew tokens without > prompting as their access to cookies in flows driven by iframes became less > and less reliable. > > When ITP was introduced we put many companies together to try to get Apple > to change it (you can find the doc in > https://docs.google.com/document/d/1Rs--DFzZj_SfQjtz8oH9DlLII0ra3viMEHrK7sKsaiU/edit#heading=h.p3nvp6xmxvzf) > but they didn’t bulge and ultimately the introduction of RTs in user agent > code (albeit with extra restrictions, the one I mentioned not everyone is > following) made the problem manageable. We have an initiative cross working > groups (IETF, OIDC etc)for working with browser vendors to try containing > similar regressions in the future. For a summary of similar problems see > https://identiverse.gallery.video/detail/video/6184443037001/browser-features-vs-identity-protocols. > > > > > To restate, the TMI-BFF proposal is not trying to fix any of that, nor per > the above some of it need fixing. The only indirect connection might be > that less stuff happening in the user agent means less opportunities for > similar changes to impact the flows, but it’s definitely not a top level > driver. > > > > *From: *Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org> > *Date: *Sunday, February 14, 2021 at 11:41 > *To: *Vittorio Bertocci <vittorio.bertocci@auth0.com> > *Cc: *Neil Madden <neil.madden@forgerock.com>, "oauth@ietf.org" < > oauth@ietf.org> > *Subject: *Re: [OAUTH-WG] Token Mediating and session Information Backend > For Frontend (TMI BFF) > > > > That only applies to third party cookies, it shouldn't affect third-party > iframes as far as I'm aware. So unless we expect those to break, we > probably shouldn't include that as a driving use case. Is there another > measure that would be relevant here? > > > [image: Image removed by sender.] > > *Warren Parad* > > Founder, CTO > > Secure your user data and complete your authorization architecture. > Implement Authress <https://authress.io>. > > > > > > On Sun, Feb 14, 2021 at 7:57 PM Vittorio Bertocci <vittorio.bertocci= > 40auth0.com@dmarc.ietf.org> wrote: > > ITP, for example > > > > *From: *Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org> > *Date: *Sunday, February 14, 2021 at 04:54 > *To: *Vittorio Bertocci <vittorio.bertocci@auth0.com> > *Cc: *Neil Madden <neil.madden@forgerock.com>, "oauth@ietf.org" < > oauth@ietf.org> > *Subject: *Re: [OAUTH-WG] Token Mediating and session Information Backend > For Frontend (TMI BFF) > > > > Can you expand on what silent authentication and session token stands for > here? If you are referring to the iframe scenario, the new browser measures > make it problematic. > > Which new browser measures? > > > *Error! Filename not specified.* > > *Warren Parad* > > Founder, CTO > > Secure your user data and complete your authorization architecture. > Implement Authress <https://authress.io>. > > > > > > On Sun, Feb 14, 2021 at 1:33 PM Vittorio Bertocci <vittorio.bertocci= > 40auth0.com@dmarc.ietf.org> wrote: > > > - For UI related functionality, i.e. document selection, user profile > display/changes, contact updates, etc... You should be able to execute the > client side *silent authentication* using the provided session token > from the Azure AD AS, without needing to make any RO api calls nor user > redirects. > > Can you expand on what silent authentication and session token stands for > here? If you are referring to the iframe scenario, the new browser measures > make it problematic. In code+PKCE you can use a refresh token, but see the > other reply for how this proposal is an alternative to that in some > situations. This answer was specifically on why having backend-issued > tokens didn’t apply to this scenario. > > > > > > *From: *Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org> > *Date: *Sunday, February 14, 2021 at 03:48 > *To: *Vittorio Bertocci <vittorio.bertocci@auth0.com> > *Cc: *Neil Madden <neil.madden@forgerock.com>, "oauth@ietf.org" < > oauth@ietf.org> > *Subject: *Re: [OAUTH-WG] Token Mediating and session Information Backend > For Frontend (TMI BFF) > > > > For the trusted part, see above. For the short lived JWTs, that’s not > really an option. The most generic scenario addressed here is for APIs that > accept tokens issued by the AS; the backend can request them as a client, > but it cannot mint them. Imagine we’re talking about a SPA application that > signs in users using Azure AD, and needs to call Office and Azure APIs. The > SPA backend cannot issue tokens for those APIs, it can only request them to > the Azure AD AS. > > > > For UI related functionality, i.e. document selection, user profile > display/changes, contact updates, etc... You should be able to execute the > client side *silent authentication* using the provided session token from > the Azure AD AS, without needing to make any RO api calls nor user > redirects. For RO responsibilities, you can present the user with a button > "Grant RO access to Azure resources" button and the user will go through a > permission scope elevation flow, again no reason to need a BFF here. > > > > We did consider adding something to that effect, an error message that can > direct the frontend to perform the interactive portion necessary for this > topology to work. It would be something similar to the IDP initiated login > in OIDC, where the client offers an endpoint that is guaranteed to initiate > a sign in flow (hence inject all the necessary nonces etc). We didn’t add > it upfront and left it as exercise for the reader mostly because it’s not > easy to model properly and before opening that work front we wanted to see > how the idea was received. > > It may make sense for the app to have an error message, or even better > might be a 302 *Location header* depending on what you are doing. There > is nothing here that is OAuth specific however (nor common), and then we > should challenge the need to directly provide an RFC recommendation for > handling this. > > > > *Error! Filename not specified.* > > *Warren Parad* > > Founder, CTO > > Secure your user data and complete your authorization architecture. > Implement Authress <https://authress.io>. > > > > > > On Sun, Feb 14, 2021 at 12:29 PM Vittorio Bertocci <vittorio.bertocci= > 40auth0.com@dmarc.ietf.org> wrote: > > Hi Neil, > > Thanks for the prompt comments! > > - Re: GET vs POST, > > personally I’d be fine with restricting to POST. > > > > - Re: RO-AS, interaction- > > perhaps it is not very clear from the text at the moment (first draft), > but that is assumed that the RO went thru whatever interactive steps are > necessary to establish a session (eg sign in, assuming the AS is say an > OIDC provider) and obtain beforehand the access token and refresh tokens > that will be needed during the app activities taking place after that. In > concrete terms, imagine that the backend performs an authorization code > grant requesting an IDtoken, access token and refresh token BEFORE the > activities described in TMI-BFF take place. > > The current language trying to express that is in 1.2: > > As a prerequisite for the flow described below, the backend MUST have > established a secure session with the user agent, so that all requests from > that user agent toward the backend occur over HTTPS and carry a valid > session artifact (such as a cookie) that the backend can validate. This > document does not mandate any specific mechanism to establish and maintain > that session. > > And > > cached, it requests to the authorization server a new access token with > the required characteristics, using any artifacts previousy obtained (eg > refresh token) and grants that will allow the authorization server to issue > the requested token without requiring user interaction. > > > > - If the backend is already implicitly trusted then couldn’t you skip > OAuth and just get the backend to issue short-lived JWTs to the frontend > that it can use for API access? > > For the trusted part, see above. For the short lived JWTs, that’s not > really an option. The most generic scenario addressed here is for APIs that > accept tokens issued by the AS; the backend can request them as a client, > but it cannot mint them. Imagine we’re talking about a SPA application that > signs in users using Azure AD, and needs to call Office and Azure APIs. The > SPA backend cannot issue tokens for those APIs, it can only request them to > the Azure AD AS. > > > > - If you want to allow auth code flow etc then perhaps the bff-token > endpoint can return a standard error code with an authorization endpoint > URI that the SPA then navigates the user to. (Eg the backend can do a PAR > request first and return a URI that references that so that authorization > details aren’t passed through the frontend). > > We did consider adding something to that effect, an error message that can > direct the frontend to perform the interactive portion necessary for this > topology to work. It would be something similar to the IDP initiated login > in OIDC, where the client offers an endpoint that is guaranteed to initiate > a sign in flow (hence inject all the necessary nonces etc). We didn’t add > it upfront and left it as exercise for the reader mostly because it’s not > easy to model properly and before opening that work front we wanted to see > how the idea was received. > > > > *From: *OAuth <oauth-bounces@ietf.org> on behalf of Neil Madden < > neil.madden@forgerock.com> > *Date: *Sunday, February 14, 2021 at 00:17 > *To: *Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org> > *Cc: *"oauth@ietf.org" <oauth@ietf.org> > *Subject: *Re: [OAUTH-WG] Token Mediating and session Information Backend > For Frontend (TMI BFF) > > > > I have a lot of security concerns about this draft. > > > > The draft alludes to security issues associated with handling access > tokens in the frontend but never really spells them out. From the Security > Considerations it seems that the primary concern is with theft of access > tokens from local storage. To do this you’d need an XSS attack. But in that > case, wouldn’t the attacker simply use the XSS to make a call to the > bff-token endpoint instead? > > > > The combination of the bff-token endpoint recommending the use of GET > requests together with the hint to use cookie-based authentication is > likely going to punch a hole in most CSRF defenses, which assume that GETs > are safe. The only thing preventing this being exploitable is Cross-Origin > Read Blocking ( > https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md) > due to the JSON content-type. That makes me really nervous. We should at > least mandate X-Content-Type-Options: nosniff on that response. I’d feel > more comfortable if this was a POST request only. > > > > As Stoycho Sleptsov mentioned in the other email, the lack of > front-channel communication between the AS and the RO seems odd. If the > backend is already implicitly trusted then couldn’t you skip OAuth and just > get the backend to issue short-lived JWTs to the frontend that it can use > for API access? > > > > If you want to allow auth code flow etc then perhaps the bff-token > endpoint can return a standard error code with an authorization endpoint > URI that the SPA then navigates the user to. (Eg the backend can do a PAR > request first and return a URI that references that so that authorization > details aren’t passed through the frontend). > > > > — Neil > > > > > > On 12 Feb 2021, at 20:46, Vittorio Bertocci <vittorio.bertocci= > 40auth0.com@dmarc.ietf.org> wrote: > > Dear all, > Brian and yours truly are proposing a new specification that shows how the > user agent frontend of a web app can delegate token acquisition and > persistence to its backend, and request such tokens when needed for direct > access of protected resources from the frontend code. > > The pattern is already in use, in proprietary form, by various modern > development stacks, such as Next.JS. Variants of the pattern, often > discussed under the catch-all term BFF (backend for frontend), have been > often mentioned in this workgroup’s activity, but always left all > implementation details to the reader. > We believe the pattern has merit, as corroborated by its growing adoption. > By delegating access token acquisition to the backend, we avoid many of the > often brittle moving parts (and implied attack surface) required to acquire > access tokens from a user agent. The topology also relieves the frontend > from the need of persisting tokens in local storage, a well known sore > point of using OAuth directly in JavaScript, by relying on its backend > storage and session to preserve tokens. > > Although the specification is very simple, providing explicit guidance on > the scenario offers many advantages. > - It makes it possible to create interoperable SDKs, where frontend dev > stacks (any JS flavor) can be mixed and matched with compliant backend > stacks (middlewares in node, java, ASP.NET, PHP etc) > - It allows us to provide guidance on how to properly tackle the scenario > and warn implementers against security risks (scope escalations, using > IDtokens instead of access tokens, etc) > - It allows us to discuss (and when appropriate, promote) this pattern as > part of the browser apps security guidance, and position the scenario where > frontend only calls API on its own backed (hence doesn’t need access > tokens) simply as a special case of this more general pattern > - This approach makes mocking and testing apps very easy, possibly > preventing developers from weakening the security of their system (eg > turning on ROPG options) or turning to risky practices like scraping > > Needless to say, this specification doesn’t entirely eliminate the risks > inherent to direct use of access tokens from a browser. But reality is that > the pattern is in widespread use, and the circumstances leading to that (eg > developers on a particular project only work with frontend stacks; > components like reverse proxies might not always be viable; etc) aren’t > going away any time soon. By providing simple guidance on this pattern, we > can simplify the life of many developers while enshrining basic security > hygiene in scenarios that would have otherwise be left to their own device. > > Looking forward for your feedback! > > B&V > > On 2/12/21, 12:41, "internet-drafts@ietf.org" <internet-drafts@ietf.org> > wrote: > > > A new version of I-D, draft-bertocci-oauth2-tmi-bff-00.txt > has been successfully submitted by Vittorio Bertocci and posted to the > IETF repository. > > Name: draft-bertocci-oauth2-tmi-bff > Revision: 00 > Title: Token Mediating and session Information Backend For > Frontend > Document date: 2021-02-12 > Group: Individual Submission > Pages: 16 > URL: > https://www.ietf.org/archive/id/draft-bertocci-oauth2-tmi-bff-00.txt > Status: > https://datatracker.ietf.org/doc/draft-bertocci-oauth2-tmi-bff/ > Html: > https://www.ietf.org/archive/id/draft-bertocci-oauth2-tmi-bff-00.html > Htmlized: > https://tools.ietf.org/html/draft-bertocci-oauth2-tmi-bff-00 > > > Abstract: > This document describes how a JavaScript frontend can delegate access > token acquisition to a backend component. In so doing, the frontend > can access resource servers directly without taking on the burden of > communicating with the authorization server, persisting tokens, and > performing operations that are fraught with security challenges when > executed in a user agent, but are safe and well proven when executed > by a confidential client running on a backend. > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ForgeRock values your Privacy <https://www.forgerock.com/your-privacy> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Token Mediating and session Informatio… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Stoycho Sleptsov
- Re: [OAUTH-WG] Token Mediating and session Inform… Torsten Lodderstedt
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Vittorio Bertocci
- Re: [OAUTH-WG] Token Mediating and session Inform… Hans Zandbelt
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Warren Parad
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Dominick Baier
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Philippe De Ryck
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- Re: [OAUTH-WG] Token Mediating and session Inform… George Fletcher
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden
- [OAUTH-WG] Security of OAuth on Andriod [Was: Re:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Om
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… SOMMER, DOMINIK
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Neil Madden
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Warren Parad
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Karsten Meyer zu Selhausen
- Re: [OAUTH-WG] Security of OAuth on Andriod [Was:… Aaron Parecki
- Re: [OAUTH-WG] Token Mediating and session Inform… Brian Campbell
- Re: [OAUTH-WG] Token Mediating and session Inform… Neil Madden