IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] Re: dpop_jkt Authorization Request Parameter

Pieter Kasselman <pieter.kasselman@microsoft.com> Wed, 01 December 2021 15:14 UTC

Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 688F83A0765 for <oauth@ietfa.amsl.com>; Wed, 1 Dec 2021 07:14:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uIQkdm1MOy8E for <oauth@ietfa.amsl.com>; Wed, 1 Dec 2021 07:14:21 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05lp2105.outbound.protection.outlook.com [104.47.18.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE4243A074D for <oauth@ietf.org>; Wed, 1 Dec 2021 07:14:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GhINu6jECCTG3ogVbni7eVH/zcxokBSRxP2/RQ99JGlSRZCoXrzxPudyvIKczM503y9llPqeVHBFcfDOiIJCmKEOvaF+RjGq3dlJkk0wkzRce/8cqYoJN59Yoc5vroRxfnDzvWfSmpGVb8Msg71TuJkNST6J5I5u/kSebh30dGxbsfkUlqgld3tFHAY8nJlxGIouKwis/8ewi5EEhZyJe5Vq8fGuWMSH5PW7v8pqfZpbj25Y5Fdb77hPnl9efZjgvMZrmbX1q4PuJfAVnp660QR8Vc3J8yZzbQMF4OFL8XwqI5BpXtImYLCcXfaY/ky+nCHg4yYgOAVLBf0MwJdMyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SDgojwAkwnIzp/PmvaKjK4ydwooF6mr2Fs8GUMyuj1Y=; b=PtOtG5CPM72XSEWPSAxiRkspnD67W6xh+/g6nmDh0KNlImIN80Vbjv7354Pakd8d6LN1xzeezZY+TsOT30QQ+6sGEw49WylsDbVj3SeUjY8uwceiYAfJCIrylS8KadU05bF1FcHv03Ti1apNb3PbAHr6BRKy+u6dDtiAsh+VwKCTMr95Y48+ygE+qPGsiJhKUzGnmZSlPPmsVKPfHkJCo8Bp8PchcXcOGxmouDX7UP4q1fiRFgqX2MSXymhVwxvuxa+kB0HHuVfTWHc7GsZIzI5zf0FezbyPmRrskT41NptR9u7kmKYK7LcTI8MFZcEbReggVWEDRF5GKLVdDQU46A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SDgojwAkwnIzp/PmvaKjK4ydwooF6mr2Fs8GUMyuj1Y=; b=SFjRXE31tuXjZSxiQMmXH5wSJox1FWU4zCK1MFpB4SnWCkBDg+FrQimcuLa/qYqESVakL1kAsALHrZ9fmSUGlyYzoZktk6atC2bl6RznP7G2X8x9SCWYSeCkwCwnkC0gD5kmR1dSs7QIlbkI2DHK2enAkRytXti0AOqQq2zcrDQ=
Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com (2603:10a6:20b:1b6::10) by AM5PR8303MB0068.EURPRD83.prod.outlook.com (2603:10a6:224:6::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4778.1; Wed, 1 Dec 2021 15:14:17 +0000
Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::3993:dd36:4660:fe6e]) by AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::3993:dd36:4660:fe6e%6]) with mapi id 15.20.4778.001; Wed, 1 Dec 2021 15:14:17 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: Aaron Parecki <aaron@parecki.com>, Neil Madden <neil.madden@forgerock.com>
CC: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [EXTERNAL] Re: [OAUTH-WG] dpop_jkt Authorization Request Parameter
Thread-Index: AdfmJiLly3CI7uXkRCWLNlYaTn4HqAABEZgAAAcr+YAAHVpZ4A==
Date: Wed, 01 Dec 2021 15:14:17 +0000
Message-ID: <AM7PR83MB0452688B1FCB18070639291F91689@AM7PR83MB0452.EURPRD83.prod.outlook.com>
References: <PH0PR00MB09979174CD87DF0DB226D334F5679@PH0PR00MB0997.namprd00.prod.outlook.com> <DBABEEFF-3FD5-4048-A90A-C16D0E695E07@forgerock.com> <CAGBSGjr8WE2i3wDe_fQmoBbhwWBPwouJViNGSyBjRh4hR4pCZQ@mail.gmail.com>
In-Reply-To: <CAGBSGjr8WE2i3wDe_fQmoBbhwWBPwouJViNGSyBjRh4hR4pCZQ@mail.gmail.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-12-01T15:11:56Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=8914b27d-417d-4ed2-9d55-4533dddd020b; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0e793a77-04f8-41bd-e36b-08d9b4dd3e2d
x-ms-traffictypediagnostic: AM5PR8303MB0068:EE_
x-microsoft-antispam-prvs: <AM5PR8303MB00685DCC27C0670AB61CAEF691689@AM5PR8303MB0068.EURPRD83.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ejhR1Zy8Ck6VqZ5c7MW3ERXVuOy90MgmaEpfj72wAJSCiPP6IEDchjY+RfYVzqZmT/5MbgonjjUeSOD02M0A7RuWiYnJ8qTnNu6hIJc+pzUd3cBVKFJQlgDmQBs0n7luOvmwrGm6kIUC1n8swDb1ROlGqrB4o0n2HkxTsUhV5YW/BXfixuY/5rb5qBn6kwG0bZ4z2MrveOgzmS6W1+BC45qsfQHXDfvm6bei9AMxvDPAw4Wz/tAGhkdtTdVnVn/+W71MbodPpUuO8mEDBLnGSCHlygBtqtY+xnz8iCiONYgCLtKGLQ6HrcXZG6ctJEPZlgmFo6DYAgLDlL1YXyCIioOazZwhefh0rNNHcoFy8pu0AXgF1AOTk4n6M2KAlC9Y6Bd2JEUF71lNESYgujSyEubsxbclHz4n4UjMLFNj4JPlFPfbuMDXGNw6DdAyBgmbV5IT2fkXnZn2dAY3OEBp9X9ffgkkTUrsQJlUWlOX5Xo3FncAdzPBBRsBmpGoWFONv7kPWebbFx/mumRasTB8qzTGz6YgpVoOYpySvmid3suNUhr8PbHbMNC6JczKG0y/xWFclKnhH35SGPlfZGaSZHAA+bf4UN8SFOry7HFC1AO7znuM73CcIKtQ5tb+Xft22PTlJUgRhwkusyqmO729E6BX8aW/hPkM32eRqwcz2dS0+HUYfm2PxA/NYKZZlkb9dWJ2xOOWm6s7RJGZCSx1Md0PigT+ESVLrR7zZbzOG/OIX4s/h2xsDsxXdI2XxfKbJfZofZkSZF3IY40cONpyk/KlNoSWJ0FuxiC/SvcdvjYmsc3VO353EAL5Pj7/doT06qYa0SCGlPg9i5unxvvXNCfCjPYrot8HWClA48YBv7Kb9TTF+E41No+0C9oxBoNl
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR83MB0452.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(8990500004)(7696005)(44832011)(82960400001)(86362001)(110136005)(71200400001)(508600001)(10290500003)(38100700002)(8676002)(4326008)(38070700005)(66556008)(53546011)(122000001)(66446008)(6506007)(2906002)(5660300002)(52536014)(82950400001)(966005)(76116006)(166002)(186003)(33656002)(316002)(9686003)(83380400001)(66946007)(66476007)(55016003)(64756008)(8936002)(54906003)(20210929001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: z8aHK/qF067F4HSnZkruvMZBAq7nFXrX+FcFnOwHv7OJkDJP7LUJw+oIPcE5M+FbeBFGrQUX3yR4LFgbkuhQ9b1ba6RXwSJkBOBjjp+LSprcQoAnh0e1kZ3Irg5gXfx9Dju5W2CNWxiTvfq0xInMgyU8MoiGjb7nqtIrHEYmnxzWaLkQV2UhoqLR8EcwT2nLyJXvsR2GB2JDg8ersK+ObN9zJGysmEQl+Qljf30IrGloGgoZRzdCSa9Gi5VhjJn6tfmYDJhcxQ+Sfx52FteID/8dgvMjyiAE9eaKgvvA6LN6p7rZ04jfoIA2RbTxEjsZhoPo9P+Id4kjYseHHaXLRonqPdS+avgWmmuPs/ed8sSbWECw2RUEghKG76GI1VvFBbsc4PCi3SUKFXworI6K79lv2Ikm8G639itmvK4dxYX0nhgx46JgDtESOYGu4uPY27Y9idOI1Mojsn37kklQyierk3Rj3N0WEudhOi99rl3wajYNk8khP6cKqa9aSjXA+TPZ7xt/cvxAVQPbBT0fTAULR6aUuyxQ8gp1PJjkCfd0NEc9SX/jIWKwTXjgtxQLfbilWgPEa+Bg47cj134SKNIK1TzpHBidFhDPZOhmGAiZWY1sKzmKDhhw9+xL8APemH+ng5J9YXOeEF7Quq8VjkCq31A86VA1xvJQfl1r8dJ3M2/LIDAH3pD0HxGegXSaoSJOwiglVmsryVFBfnAzPhhzDiT/bSdHu8XIth07IIRztRGYRXBe9wKwdrEBkK8WzG/igUdmENj5x1000/A5eGR4yFXd4qGBpUJPZRMLldAguN3kCZfGAq0Qbl1mERM118oRtIM+uV2hFXn9Ul97PXtdeCzNmOH5PI0tRd4jA0tQkUmeDpY+63juMlQYwha1pqBX9RBgoJl5LPZTVaWxxJK3U3mepZOObLPmBtWVxErUCFU7BawRsjVqY9M+TTQqK6EM/21eDHjJvnGxOP7un+VVGG/3FXKaumWZUv4bUV3am+dfUeZeDctJPHbKSDME7M2XivS4iGKROj8xi9GIvIzK+Ku1Pj6G2J05QpyRw/LlqMGwofHJ/fTTLlHlSMDWBotMgx79DmgztK9VeMFhv7FnnKUMoR+2Zjb7vbRg5IS331CdwVpY4Udcrjkh72tt3djXqO7gt5vxEsR5wiJ+y33LHKjP2fCG5rJQQOTClG5WPhUBRq+EbJojfYE23HbeqG9h+kmD95x2e6cH9EbdZ7a1AJIKsM5GOC2UIUsqOhiFCFZiTZ8VcjFYbC2mtGcvAmQYrMCgAteimlyzCW/uiqa08/iQ7he6QOAzNM7EnX3KNCY3QrkOh2gY2tVQ5f4HJHXCbfV+mwvs73CQk2Jd53AkXixGn316fclHjC4L87mDisD1YfmHVk5h7546Y5PvFS3LX6+Z1s0yM3S/9119XNybJ5REUevwHkYcHFblhlCgphheobdwKKqlO8KfrNZ9AkazM5xDCvXq4Ji3Pjm0KasaoJFCHqKpUUdTqVrVavLxkgFfe/4JQQwWN/xHnTJLHncaDWQ+i0+mKfai1SQK2hmIiicyL9nrkdC2r+Aasb0LVErBhTsLdVOW9AOCF4f4Bi/QBS+7crpnb2cIrsaXsq4nNPC9FwE5BPZe0vhZ4HWpYHwQCJAfkHrABGsi9iunwBTmHzFWjYPTUAKHx62NuQ==
Content-Type: multipart/alternative; boundary="_000_AM7PR83MB0452688B1FCB18070639291F91689AM7PR83MB0452EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR83MB0452.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0e793a77-04f8-41bd-e36b-08d9b4dd3e2d
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2021 15:14:17.1653 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: KlDConFhV6dIBEWYUZRPnIf7qbGVVy14iL4aj+gsckSsl+aQIYUDzvytwV1lD4PjegBJKCf+3qRmRmiMR3uTawS8G9FjLwIMaYhBiL2GJMw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR8303MB0068
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XNX9_Wm59X1WL4F7reIv9sJrGmU>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: dpop_jkt Authorization Request Parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2021 15:14:28 -0000

Hi Aaron, Neil

Thanks for the questions.

We agree that ideally authorization codes and PKCE proofs would never end up in log files and one-time use would be perfectly implemented.

However, in practice these artefacts do find their way into log files in various places and one-time use may not always be practical (e.g. one-time use in a certain timeframe etc).

The addition of these mitigations is not meant to replace the need for one-time use or good logging hygiene. Instead they provide pragmatic defence in depth against real attacks rather than assuming perfect implementations. We are deploying these mitigations and are sharing them for inclusion in DPoP to enable others to do the same.

Regarding the question about interrupting/intercepting the HTTPS connection, the attacker don't need to intercept the HTTPS connection or modify the content in the TLS tunnel, rather they just need to prevent the authorization code from being presented to the Authorization Server. It may even happen due to a poor network connection. The poor connection may be engineered by an attacker, or they may opportunistically benefit from it. The networks are not perfect either.

Cheers

Pieter


From: OAuth <oauth-bounces@ietf.org> On Behalf Of Aaron Parecki
Sent: Wednesday 1 December 2021 00:05
To: Neil Madden <neil.madden@forgerock.com>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>; oauth@ietf.org
Subject: [EXTERNAL] Re: [OAUTH-WG] dpop_jkt Authorization Request Parameter

I tend to agree with Neil here. I'm struggling to see the relevance of this attack.

It seems like the PDF writeup describes two possible reasons an attacker could get access to the authorization code and PKCE code verifier.

1. The attacker has access to the logs of the token endpoint.
2. The attacker can intercept HTTPS connections between the client and AS (VPN, corporate network proxy, etc)

For 1, the solution is to stop logging the contents of the POST body, and secure your infrastructure. I don't think making the client jump through extra hoops is a good solution if you are already logging more than you should be or you don't trust the people who have access to the infrastructure. If this really is a concern, I suspect there are a lot more places in the flow that would need to be patched up if you don't trust your own token endpoint.

For 2, if the attacker can intercept the HTTPS connection, then the proposed solution doesn't add anything because the attacker could modify the requests before it hits the authorization server anyway, and change which DPoP key the token gets bound to in the first place. Plus, the attacker would also have access to anything else the client is sending to the AS, such as the user's password when they authenticate at the AS.

Are there other attack vectors I'm missing that might actually be solved by this mechanism?

Aaron


On Tue, Nov 30, 2021 at 12:40 PM Neil Madden <neil.madden@forgerock.com<mailto:neil.madden@forgerock.com>> wrote:
Sadly I couldn't make the DPoP session, but I'm not convinced the attack described in the earlier message really needs to be prevented at all. The attack largely hinges on auth codes not being one-time use, which is not a good idea, or otherwise on poor network security on the token endpoint. I'm not convinced DPoP needs to protect against these things. Is there more to this?

The proposed solutions also seem susceptible to the same problems they attempt to solve - if an attacker is somehow able to interrupt the client's (TLS-protected) token request, why are they somehow not able to interrupt/modify the (far less protected) redirect to the authorization endpoint?

- Neil


On 30 Nov 2021, at 20:15, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org<mailto:Michael.Jones=40microsoft.com@dmarc.ietf.org>> wrote:

As described during the OAuth Security Workshop session on DPoP, I created a pull request adding the dpop_jkt authorization request parameter to use for binding the authorization code to the client's DPoP key.  Seehttps://github.com/danielfett/draft-dpop/pull/89<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdanielfett%2Fdraft-dpop%2Fpull%2F89&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C73630bc47d8447ad414708d9b45e504e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637739139477365460%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=yymmaey9B%2BkfhDNPCzjyuHdkKMGmzSA3C7dZRAOz4cc%3D&reserved=0>.

This is an alternative to https://github.com/danielfett/draft-dpop/pull/86<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdanielfett%2Fdraft-dpop%2Fpull%2F86&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C73630bc47d8447ad414708d9b45e504e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637739139477365460%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=reAU2tGLoiZcEstAyCjd3TpYHjbC%2FxlvaSOcFdwEcqg%3D&reserved=0>, which achieved this binding using a new DPoP PKCE method.  Using this alternative allows PKCE implementations to be unmodified, while adding DPoP in new code, which may be an advantage in some deployments.

Please review and comment.  Note that I plan to add more of the attack description written by Pieter Kasselman to the security considerations in a future commit.  This attack description was sent by Pieter yesterday in a message with the subject "Authorization Code Log File Attack (was DPoP Interim Meeting Minutes)".

                                                       -- Mike

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C73630bc47d8447ad414708d9b45e504e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637739139477365460%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FijJyL4AbGch83O%2B6gxmRN%2FpwXqH5ejIa46pZ0gImy0%3D&reserved=0>

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7C73630bc47d8447ad414708d9b45e504e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637739139477365460%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FijJyL4AbGch83O%2B6gxmRN%2FpwXqH5ejIa46pZ0gImy0%3D&reserved=0>

v2.23.0 | Report a Bug | By Email