Re: [OAUTH-WG] MTLS token endoint & discovery
George Fletcher <gffletch@aol.com> Tue, 12 February 2019 20:27 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1EC7130DE7 for <oauth@ietfa.amsl.com>; Tue, 12 Feb 2019 12:27:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_n9qyCuTBRP for <oauth@ietfa.amsl.com>; Tue, 12 Feb 2019 12:27:41 -0800 (PST)
Received: from sonic303-4.consmr.mail.bf2.yahoo.com (sonic303-4.consmr.mail.bf2.yahoo.com [74.6.131.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50D3212DF71 for <oauth@ietf.org>; Tue, 12 Feb 2019 12:27:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1550003259; bh=b7jmBaMD9UVjrzrCfRXkJl/utWxqZeiTotkj2lH3KkM=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=QUAFkrk+0IXOjLwUCpcgLja2v3WonCkJgBaSPMhGGcvh2kd5w8ayYgkDfJjMM/ReavLEIv5Xw1B7dE9b7ftdn/9B4rhI1g7S0asfSlJtv+hggw9fmHGTvb2M4C97lagGvXfA/ph4ET9lCl2xkR1HJ+x7pytQjpePumVL4/g/xuVis69hQBoOVAqqf8J+2T93QwuSOtFAzteF//QRnrvU71PqqiAiR6XOAdkCDQerd2ZAEU7HQpZvxoQjWGPonFuUMxnNZVxdYod7dyM0HiCOgyRjuDRfxQFERZjnHLO/NKalc4iza+KPx8B8zb4ttCSZhRssI8Q7fly8SZck270VoQ==
X-YMail-OSG: NLHAJQ0VM1kd6pKClDSRJsxYXPg97..CPYBaX8h2hGikEKpTMI3t8VzFlGscVSV ENTOzQoxRUTKHapznxmu7pvt.Pw.kT.jslUm9TkgEBEYlTsxKiFcYDjHAbsHPamncES2chTSzUO. EUCmTbqXrwPu4oSfgjDhmI9J48RXYVgxpktNARxFKyNw4DRAB4o3RiYmoT7aEWwd0z2xo7q8Bsky 3TRx2aex5zC9rZju.H.D19H7IqcfocfUyj68J1OGvHH0zq8I0dJT.xvq7s2QEWVu67xYDd3F8z.s 3iC62k8SXCAzcb99CaTMq5V6DGDRrzB2fatDaSF4xGXIV7uFLdXYAgcvMod4SFx1dsmcv5zjGfm5 XT3ynqToW0u2d.kLBcb4yET3fVgUOw1fQvQloLn2PwSrmeVedOtAeHSSkhl.VZ.xRZyeLrTk3r9K 7LatQij891NJyNOf.kAqghCoGxR97PAe.gyoA33co3V232x8SkSks4LarS2G4Dafr_iw4H5oxAOC ff2Paez.TC6nAnhNGI.PT9jX8IpvmTeVv6Rb808OJ_V31xmfD.voFXsAl9.Gxv9wDUWDcX.2qYlT my8CI8ILwoS3wbhiHWa5wrMwel4_ueu5VhvqM1TZHRxDrwwWJJ48K.cSiWiA6UW4bwPhiQJ29_vT x6NziA6xBhnwodD_Wv88JUnRvstd2pHsLNds811HMqPD9KfTUg8O9py9.dliJEYjHIu_P3CyjaiE .HzLe1BSrtmSGprLpxiyXHvLJTP0DVZv.bqTAUkiQovXW53hdfNtLhS00ld1Ln.GCvM2G1gATliM .JcK_OVlwPhEGRqmF3KvCJLznM5QsMPChC1trUlZVLZnZugzn16RHCWCUz_2tLzSFxXa2h8Aq2Fx ZfmS1jz_yDqynWExB82uYw_c3ntWxki4Dg8mRxQ_n09_6q77ifjP3Ae.MzJfhy9OBoQ_MinLxOZ7 w9Su3WAbFo3WwmbEjY.Etk5DrMeqerpEQ7aFPjCILIeeYrcG7EGhkqRHFZI7gL03_yAbToJ0yLRG cA4_Ja1BrAtWbgT5ZpDryuiNRNhTw7oY_ClndGoRUy5avtDCWDe19r0e1x6BVTpscpIiXFsHu
Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.bf2.yahoo.com with HTTP; Tue, 12 Feb 2019 20:27:39 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp426.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 1c8ce54ba487be5367cca4ff53aada40; Tue, 12 Feb 2019 20:27:38 +0000 (UTC)
To: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Dominick Baier <dbaier@leastprivilege.com>
Cc: oauth <oauth@ietf.org>
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <CA+k3eCT+mPu0=9TDKtuVqXy=zStEWTS5aVOsc2TuJcYQ2cvE6A@mail.gmail.com> <CC05C965-3308-4449-A1E2-EDA0119BE5D2@amazon.com> <CA+k3eCTXLJuQAjSgskfv95_cqnepmBDSzbidLSZsOS33SkLFEA@mail.gmail.com> <54A2B8BD-2794-45B6-969B-E6155A1B7EBE@amazon.com> <CA+k3eCRCxPnHNDpPugNaETqdogMun259Vzru4QPn0qBVuxckpA@mail.gmail.com> <CA+k3eCSYPR2TSFQc_Unbc-sexN8SFmp7PD4qjUFUo3Ju7hg7fQ@mail.gmail.com> <CA+k3eCT6s+zFsK0E1aXf3jMhJyPOQ=GpgnFYJNH7X13WuAR6qA@mail.gmail.com> <18CD2B6D-5FA9-45B1-9334-EB785F40A6A9@amazon.com> <CA+k3eCT+pF_aya_9OWB7e_XsSF1KdYz7ys+KjYX6QVEZi84n_Q@mail.gmail.com> <CAO7Ng+tR1OiwbSTokF8KNaP0KM7pyaLwTOUdor-dnGv4Rk4yng@mail.gmail.com> <CA+k3eCQK=+Bk9pUok7kPOs-DtGMgcgYOqsVQ=ejXQ6KEp7ZGpA@mail.gmail.com> <CAO7Ng+tGnf1fvWjsewexUidiJo06ZdQZbFthTrJZRqSYVB+t0g@mail.gmail.com> <CA+k3eCQy7G9AVMAsKUwGdVUGtGDNdV1A39571jNXoctPE+fEHA@mail.gmail.com> <DDDC7C84-60FF-43CD-BC1F-E13CD6937655@amazon.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <46105936-5ab5-af0f-764e-c9a1a2b6a66f@aol.com>
Date: Tue, 12 Feb 2019 15:27:37 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.0
MIME-Version: 1.0
In-Reply-To: <DDDC7C84-60FF-43CD-BC1F-E13CD6937655@amazon.com>
Content-Type: multipart/alternative; boundary="------------A854F252FE9AEF83274F2E20"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/baBTK7shJbzqV9oMb4PCMYy7zrk>
Subject: Re: [OAUTH-WG] MTLS token endoint & discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 20:27:46 -0000
I prefer this approach to an embedded JSON object. Possibly even just making the MTLS version its own directly referencable config under .well-known. Thanks, George On 2/12/19 2:47 PM, Richard Backman, Annabelle wrote: > > I’m not opposed to introducing a metadata change, if the scenario is > relevant and other approaches can’t adequately address it – and I’ll > readily grant that we probably don’t want to depend on consistency of > browser behavior at the intersection of client certificates and > Access-Control-Allow-Credentials. But care needs to be taken in > designing that metadata to avoid violating or otherwise negatively > impacting usage of RFC8414. > > Along those lines, instead of adding an “mtls_endpoints” metadata > parameter, we could add an “mtls_alternate_metadata” parameter whose > value is the URL of an alternate metadata document intended for > clients using mTLS. An mTLS-optional AS could have two different > metadata documents for mTLS and non-mTLS clients, reducing the > mTLS-optional scenario to the mTLS-only scenario. This sidesteps the > challenges of aligning the “either/or” semantics of mTLS-optional with > some of the rigid parameter definitions in RFC8414 (see: > token_endpoint, token_endpoint_auth_methods_supported). > > -- > > Annabelle Richard Backman > > AWS Identity > > *From: *OAuth <oauth-bounces@ietf.org> on behalf of Brian Campbell > <bcampbell=40pingidentity.com@dmarc.ietf.org> > *Date: *Tuesday, February 12, 2019 at 10:58 AM > *To: *Dominick Baier <dbaier@leastprivilege.com> > *Cc: *oauth <oauth@ietf.org> > *Subject: *Re: [OAUTH-WG] MTLS token endoint & discovery > > Thanks for the input, Dominick. > > I'd said previously that I was having trouble adequately gauging > whether or not there's sufficient consensus to go ahead with the > update. I was even thinking of asking the chairs about a consensus > call during the office hours meeting yesterday. But it got canceled. > And looking again back over the discussion, I don't believe a > consensus call is necessary. There's been a lot of general discussion > over the last several weeks during which several folks have stated > support for the proposal while there's been only one voice of direct > dissent. That seems like rough enough consensus and, as such, I plan > to make the change in the next revision of the document (which should > be done soon). Chairs, please let me know, if you believe the > situation warrants a different course of action. > > On Mon, Feb 11, 2019 at 11:01 PM Dominick Baier > <dbaier@leastprivilege.com <mailto:dbaier@leastprivilege.com>> wrote: > > IMHO that’s a reasonable and pragmatic option. > > Thanks > > ——— > > Dominick > > On 11. February 2019 at 13:26:37, Brian Campbell > (bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>) > wrote: > > It's been pointed out that the potential issue is not isolated > to the just token endpoint but that revocation, introspection, > etc. could be impacted as well. So, at this point, the > proposal on the table is to add a new optional AS metadata > parameter named 'mtls_endpoints' that's value we be a JSON > object which itself contains endpoints that, when present, a > client doing MTLS would use rather than the regular > endpoints. A straw-man example might look like this > > { > "issuer":"https://server.example.com", > "authorization_endpoint":"https://server.example.com/authz", > "token_endpoint":"https://server.example.com/token", > "token_endpoint_auth_methods_supported":[ > "client_secret_basic","tls_client_auth", "none"], > "userinfo_endpoint":"https://server.example.com/userinfo", > "revocation_endpoint":"https://server.example.com/revo", > "jwks_uri":"https://server.example.com/jwks.json", > *"mtls_endpoints":{ > "token_endpoint":"https://mtls.example.com/token", > "userinfo_endpoint":"https://mtls.example.com/userinfo", > "revocation_endpoint":"https://mtls.example.com/revo > <https://mtls..example.com/revo>" > }* > } > > A client doing MTLS would look for and give precedence to an > endpoint under "mtls_endpoints" while falling back to use the > normal endpoint from the top level of metadata when/if its not > in "mtls_endpoints". > > > The idea being that "regular" clients (those not doing MTLS) > will use the regular endpoints. And only the host/port of the > endpoints listed in mtls_endpoints will be set up to request > TLS client certificates during handshake. Thus any potential > impact of the CertificateRequest message being sent in the TLS > handshake can be avoided for all the other regular clients > that are not going to do MTLS - including and most importantly > in-browser javascript clients where there can be less than > desirable UI presented to the end-user. > > I'm struggling, however, to adequately gauge whether or not > there's sufficient consensus to go ahead with the update. > There's been some support for it voiced. As well as talk of > other approaches that could be alternatives or additional > measures. And also some vocal opposition to it. > > On Sat, Feb 9, 2019 at 3:09 AM Dominick Baier > <dbaier@leastprivilege.com <mailto:dbaier@leastprivilege.com>> > wrote: > > We are currently implementing MTLS in IdentityServer. > > Our approach will be that we’ll offer a separate token > endpoint that supports client certs. Are you planning on > adding an official endpoint name for discovery? Right now > we are using “mtls_token_endpoint”. > > Thanks > > ——— > > Dominick > > On 7. February 2019 at 22:36:55, Brian Campbell > (bcampbell=40pingidentity.com@dmarc.ietf.org > <mailto:bcampbell=40pingidentity.com@dmarc.ietf.org>) wrote: > > Ah yes, that makes sense. Thanks for clarifying. And > it is indeed a good reminder that even a seemingly > innocuous change that should be backwards compatible > can break things unexpectedly.. > > On Thu, Feb 7, 2019 at 8:57 AM Richard Backman, > Annabelle <richanna@amazon.com > <mailto:richanna@amazon.com>> wrote: > > The case I’m referencing didn’t specifically > involve AS metadata. We had clients in the wild > that assumed that all the properties in the JSON > object returned from our userinfo endpoint were > scalar strings. This broke when we introduced a > new property whose value was a JSON object. It was > a good reminder that even a seemingly innocuous > change that should be backwards compatible can > force more work on clients than we expect. > > -- > > Annabelle Richard Backman > > AWS Identity > > *From:* Brian Campbell <bcampbell@pingidentity.com > <mailto:bcampbell@pingidentity.com>> > *Date:* Wednesday, February 6, 2019 at 11:30 AM > *To:* "Richard Backman, Annabelle" > <richanna=40amazon.com@dmarc.ietf.org > <mailto:40amazon.com@dmarc.ietf.org>> > *Cc:* "Richard Backman, Annabelle" > <richanna@amazon.com > <mailto:richanna@amazon.com>>, oauth > <oauth@ietf.org <mailto:oauth@ietf.org>> > *Subject:* Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: > MTLS and in-browser clients using the token endpoint > > And I'm honestly really struggling to see what > could have gone wrong with or how > token_endpoint_auth_methods broke something with > the user info endpoint. If you have the time > and/or it'd be informative to this here little > discussion, please explain that one a bit more. > > On Wed, Feb 6, 2019 at 12:15 PM Brian Campbell > <bcampbell@pingidentity.com > <mailto:bcampbell@pingidentity.com>> wrote: > > "far" should have said "fair" in the previous > message > > On Tue, Feb 5, 2019 at 4:35 PM Brian Campbell > <bcampbell@pingidentity.com > <mailto:bcampbell@pingidentity.com>> wrote: > > It may well be due to my own intellectual > shortcomings but these > issues/questions/confusion-points are not > resonating for me as being problematic. > > The more general stance of "this isn't > needed or worth it in this document" (I > think that's far?) is being heard though. > > On Tue, Feb 5, 2019 at 1:42 PM Richard > Backman, Annabelle > <richanna=40amazon.com@dmarc.ietf.org > <mailto:40amazon.com@dmarc.ietf...org>> wrote: > > (TL;DR: punt AS metadata to a separate > draft) > > AS points #1-3 are all questions I > would have as an implementer: > > 1. Section 2 of RFC8414 > <https://tools.ietf.org/html/rfc8414#section-2> > says token_endpoint “is REQUIRED > unless only the implicit grant > type is supported.” So what does > the mTLS-only AS put here? > 2. The claims for these other > endpoints are OPTIONAL, > potentially leading to > inconsistency depending on how #1 > gets decided. > 3. The example usage of the > token_endpoint_auth_methods > property given earlier is > incompatible with RFC8414, since > some of its contents are only > valid for the non-mTLS endpoints, > and others are only valid for the > mTLS endpoints. Hence this question. > 4. This introduces a new metadata > property that could impact how > other specs should extend AS > metadata. That needs to be addressed. > > I could go on for client points but > you already get the point. Though I’ll > share that #3 is real and once forced > me to roll back an update to the Login > with Amazon userinfo endpoint…good > times. 😃 > > I don’t necessarily think an AS > metadata property is wrong per se, but > understand that you’re bolting a layer > of flexibility onto a standard that > wasn’t designed for that, and I don’t > think the metadata proposal as it’s > been discussed here sufficiently deals > with the fallout from that. In my view > this is a complex enough issue and > it’s for a nuanced enough use case (as > far as I can tell from discussion? > Please correct me if I’m wrong) that > we should punt it to a separate draft > (e.g., “Authorization Server Metadata > Extensions for mTLS Hybrids”) and get > mTLS out the door. > > -- > > Annabelle Richard Backman > > AWS Identity > > *From:* OAuth <oauth-bounces@ietf.org > <mailto:oauth-bounces@ietf.org>> on > behalf of Brian Campbell > <bcampbell=40pingidentity.com@dmarc.ietf.org > <mailto:40pingidentity.com@dmarc.ietf.org>> > *Date:* Monday, February 4, 2019 at > 5:28 AM > *To:* "Richard Backman, Annabelle" > <richanna=40amazon.com@dmarc.ietf.org > <mailto:40amazon.com@dmarc.ietf.org>> > *Cc:* oauth <oauth@ietf.org > <mailto:oauth@ietf.org>> > *Subject:* Re: [OAUTH-WG] [UNVERIFIED > SENDER] Re: MTLS and in-browser > clients using the token endpoint > > Those points of confusion strike me as > somewhat hypothetical or hyperbolic. > But your general point is taken and > your position of being anti additional > metadata on this issue is noted. > > All of which leaves me a bit uncertain > about how to proceed. There seem to be > a range of opinions on this point and > gauging consensus is proving elusive > for me. That's confounded by my own > opinion on it being somewhat fluid. > > And I'd really like to post an update > to this draft about a month or two ago. > > On Fri, Feb 1, 2019 at 5:03 PM Richard > Backman, Annabelle > <richanna=40amazon.com@dmarc.ietf.org > <mailto:40amazon.com@dmarc.ietf...org>> > wrote: > > Confusion from the AS’s perspective: > > 1. If I only support mTLS, do I > need to include both > token_endpoint_uri and > mtls_endpoints? Should I omit > token_endpoint_uri? Or set it > to the empty string? > 2. What if I only support mTLS > for the token endpoint, but > not revocation or user info? > 3. How do I specify > authentication methods for the > mTLS token endpoint? Does > token_endpoint_auth_methods > apply to both the mTLS and > non-mTLS endpoints? > 4. I’m using the OAuth 2.0 Device > Flow. Do I include a > mTLS-enabled > device_authorization_endpoint > under mtls_endpoints? > > Confusion from the client’s > perspective: > > 1. As far as I know, I’m a public > client, and don’t know > anything about mTLS, but the > IT admins installed client > certs in their users’ browsers > and the AS expects to use that > to authenticate me. > 2. My AS metadata parser crashed > because the mTLS-only AS > omitted token_endpoint_uri. > 3. My AS metadata parser crashed > because it didn’t expect to > encounter a JSON object as a > parameter value. > 4. The mTLS-only AS didn’t > provide a value for > mtls_endpoints, what do I do? > 5. I don’t know what that “m” > means, but they told me to use > HTTPS, so I should use the one > with “tls” in its name, right? > > Yes, you can write normative text > that answers most of these. But > you’ll have to clearly cover a lot > of similar-but-slightly-different > scenarios and be very explicit. > And implementers will still get it > wrong. The metadata change > introduces opportunities for > confusion and failure that do not > exist now, and forces them on > everyone who supports mTLS. In > contrast, the 307 redirect is only > required when an AS wants to > support both, and is unambiguous > in its behavior and meaning. > > -- > > Annabelle Richard Backman > > AWS Identity > > *From:* Brian Campbell > <bcampbell=40pingidentity.com@dmarc.ietf.org > <mailto:40pingidentity.com@dmarc.ietf.org>> > *Date:* Friday, February 1, 2019 > at 3:17 PM > *To:* "Richard Backman, Annabelle" > <richanna@amazon.com > <mailto:richanna@amazon.com>> > *Cc:* George Fletcher > <gffletch@aol.com > <mailto:gffletch@aol.com>>, oauth > <oauth@ietf.org > <mailto:oauth@ietf.org>> > *Subject:* [UNVERIFIED SENDER] Re: > [OAUTH-WG] MTLS and in-browser > clients using the token endpoint > > It doesn't seem like that > confusing or large of a change to > me - if the client is doing MTLS > and the given endpoint is present > in `mtls_endpoints`, then it uses > that one. Otherwise it uses the > regular endpoint. It gives an AS a > lot of flexibility in deployment > options. I personally think > getting a 307 approach deployed > and working would be more > complicated and error prone. > > It is a minority use case at the > moment but there are forces in > play, like the push for increased > security in general and to have > javascript clients use the code > flow, that suggest it won't be > terribly unusual to see an AS that > wants to support MTLS clients and > javascript/spa clients at the same > time. > > I've personally wavered back and > forth in this thread on whether or > not to add the new metadata (or > something like it). With my > reasoning each way kinda explained > somewhere back in the 40 or so > messages that make up this thread. > But it seems like the rough > consensus of the group here is in > favor of it. > > On Fri, Feb 1, 2019 at 3:18 PM > Richard Backman, Annabelle > <richanna=40amazon.com@dmarc.ietf.org > <mailto:40amazon.com@dmarc.ietf...org>> > wrote: > > This strikes me as a very > prominent and confusing change > to support what seems to be a > minority use case. I’m getting > a headache just thinking about > the text needed to clarify > when the AS should provide > `mtls_endpoints` and when the > client should use that versus > using `token_endpoint.` Why is > the 307 status code > insufficient to cover the case > where a single AS supports > both mTLS and non-mTLS? > > -- > > Annabelle Richard Backman > > AWS Identity > > *From:* OAuth > <oauth-bounces@ietf.org > <mailto:oauth-bounces@ietf.org>> > on behalf of Brian Campbell > <bcampbell=40pingidentity.com@dmarc.ietf.org > <mailto:40pingidentity.com@dmarc.ietf.org>> > *Date:* Friday, February 1, > 2019 at 1:31 PM > *To:* George Fletcher > <gffletch=40aol.com@dmarc.ietf.org > <mailto:40aol.com@dmarc......ietf.org>> > *Cc:* oauth <oauth@ietf.org > <mailto:oauth@ietf.org>> > *Subject:* Re: [OAUTH-WG] MTLS > and in-browser clients using > the token endpoint > > Yes, that would work. > > On Fri, Feb 1, 2019 at 2:28 PM > George Fletcher > <gffletch=40aol.com@dmarc.ietf.org > <mailto:40aol.com@dmarc.ietf.org>> > wrote: > > What if the AS wants to > ONLY support MTLS > connections. Does it not > specify the optional > "mtls_endpoints" and just > use the normal metadata > values? > > On 1/15/19 8:48 AM, Brian > Campbell wrote: > > It would definitely be > optional, apologies if > that wasn't made > clear. It'd be > something to the > effect of optional for > the AS to include and > clients doing MTLS > would use it when > present in AS metadata. > > On Tue, Jan 15, 2019 > at 2:04 AM Dave Tonge > <dave.tonge@momentumft.co.uk > <mailto:dave.tonge@momentumft.co.uk>> > wrote: > > I'm in favour of > the > `mtls_endpoints` > metadata parameter > - although it > should be optional. > > > /CONFIDENTIALITY > NOTICE: This email may > contain confidential > and privileged > material for the sole > use of the intended > recipient(s). Any > review, use, > distribution or > disclosure by others > is strictly > prohibited.. If you > have received this > communication in > error, please notify > the sender immediately > by e-mail and delete > the message and any > file attachments from > your computer. Thank you./ > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf..org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > > */CONFIDENTIALITY NOTICE: This > email may contain confidential > and privileged material for > the sole use of the intended > recipient(s). Any review, use, > distribution or disclosure by > others is strictly > prohibited.. If you have > received this communication in > error, please notify the > sender immediately by e-mail > and delete the message and any > file attachments from your > computer. Thank you./* > > > */CONFIDENTIALITY NOTICE: This > email may contain confidential and > privileged material for the sole > use of the intended recipient(s). > Any review, use, distribution or > disclosure by others is strictly > prohibited.. If you have received > this communication in error, > please notify the sender > immediately by e-mail and delete > the message and any file > attachments from your computer. > Thank you./* > > > */CONFIDENTIALITY NOTICE: This email > may contain confidential and > privileged material for the sole use > of the intended recipient(s). Any > review, use, distribution or > disclosure by others is strictly > prohibited.. If you have received this > communication in error, please notify > the sender immediately by e-mail and > delete the message and any file > attachments from your computer. Thank > you./* > > > */CONFIDENTIALITY NOTICE: This email may contain > confidential and privileged material for the sole > use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly > prohibited. If you have received this > communication in error, please notify the sender > immediately by e-mail and delete the message and > any file attachments from your computer. Thank you./* > > > */CONFIDENTIALITY NOTICE: This email may contain > confidential and privileged material for the sole use > of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly > prohibited.. If you have received this communication > in error, please notify the sender immediately by > e-mail and delete the message and any file attachments > from your computer. Thank you./* > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > */CONFIDENTIALITY NOTICE: This email may contain confidential > and privileged material for the sole use of the intended > recipient(s). Any review, use, distribution or disclosure by > others is strictly prohibited. If you have received this > communication in error, please notify the sender immediately > by e-mail and delete the message and any file attachments from > your computer. Thank you./* > > > */CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited.. If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you./* > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] MTLS and in-browser clients using the … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … John Bradley
- Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
- Re: [OAUTH-WG] MTLS and in-browser clients using … John Bradley
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
- Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
- Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
- Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
- Re: [OAUTH-WG] MTLS and in-browser clients using … Dave Tonge
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … George Fletcher
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Richard Backman, Annabelle
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… David Waite
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Filip Skokan
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- [OAUTH-WG] MTLS token endoint & discovery Dominick Baier
- Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
- Re: [OAUTH-WG] MTLS token endoint & discovery Dominick Baier
- Re: [OAUTH-WG] MTLS token endoint & discovery Justin Richer
- Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
- Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
- Re: [OAUTH-WG] MTLS token endoint & discovery Richard Backman, Annabelle
- Re: [OAUTH-WG] MTLS token endoint & discovery George Fletcher
- Re: [OAUTH-WG] MTLS token endoint & discovery Justin Richer
- Re: [OAUTH-WG] MTLS token endoint & discovery George Fletcher
- Re: [OAUTH-WG] MTLS token endoint & discovery Filip Skokan
- Re: [OAUTH-WG] MTLS token endoint & discovery Richard Backman, Annabelle
- Re: [OAUTH-WG] MTLS token endoint & discovery Filip Skokan
- Re: [OAUTH-WG] MTLS token endoint & discovery Dominick Baier
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Dominick Baier
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Filip Skokan
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Filip Skokan
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… David Waite
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Brian Campbell