Re: [OAUTH-WG] WG Action: Rechartered Web Authorization Protocol (oauth)

Mike Jones <> Fri, 22 January 2016 20:23 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 50C181A8709 for <>; Fri, 22 Jan 2016 12:23:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7-BT9mYK-x_v for <>; Fri, 22 Jan 2016 12:23:39 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fc10::700]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D90821A86FF for <>; Fri, 22 Jan 2016 12:23:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=TRorbpyTt4KZCq92J6lq4wsQSfIVSToRn6Xmqzy82G0=; b=Q0GC923oSYiZtkroiabvMG/SzbH6+Ig5XIt/GOcK5A9MG3szAR1nhCVTrVtxzzqXlSonc36oOHnp2stbb9Gc9H1q7LsKrxn6dS3U/fdjvQm9kq7XmF7exhoyAJQzgF0tWfAClC3GrFau6+b6KzUDpinU8rzOSQwilJm4jAe7g7o=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.365.19; Fri, 22 Jan 2016 20:23:20 +0000
Received: from ([]) by ([]) with mapi id 15.01.0365.024; Fri, 22 Jan 2016 20:23:20 +0000
From: Mike Jones <>
To: "<>" <>
Thread-Topic: [OAUTH-WG] WG Action: Rechartered Web Authorization Protocol (oauth)
Thread-Index: AQHRVU/Up16E8qHUxUO0INjGf/MmGp8H+tjN
Date: Fri, 22 Jan 2016 20:23:20 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 4b542ede-2fc5-4f93-db09-08d32369dec9
x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:3bk57RnFvf6koVEzJSyQ8CDRFIp69fcqRB/vo3v1/DJ7UEYsZG7UW9NFDBeTt8YVgckwLpHgLQVEMuNGl3XNZ7KawnOnLS9qys5NUDuT6EOMnmauTSyqgHmKz/VtuKT22LxeM98VMi4Hi4FdovnjfQ==; 24:sbrMrjSIeHncXx6GiXrdYhUp4nUSKuj6Z4DUEzz9944/CInsbvuqrJ1G8a6hWVQLUDoHU8kTfTDVDMZomqCeMjTDLmwmZaWhBUMNYKhcjhs=
x-exchange-antispam-report-test: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; UriScan:;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(520078)(8121501046)(5005006)(3002001)(10201501046)(61426038)(61427038); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444;
x-forefront-prvs: 08296C9B35
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(189002)(45074003)(377454003)(199003)(19580395003)(74316001)(450100001)(87936001)(106356001)(106116001)(66066001)(105586002)(8990500004)(5004730100002)(19580405001)(107886002)(92566002)(5001960100002)(54356999)(5008740100001)(10090500001)(19617315012)(15975445007)(11100500001)(110136002)(77096005)(2906002)(1096002)(76576001)(586003)(10400500002)(81156007)(50986999)(19625215002)(2900100001)(97736004)(16236675004)(76176999)(5002640100001)(5005710100001)(99286002)(33656002)(1220700001)(102836003)(2950100001)(10290500002)(6116002)(3846002)(40100003)(86612001)(1600100001)(5003600100002)(189998001)(101416001)(122556002)(86362001)(491001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442F3A62AFAE7004A4CD1F0F5C40BY2PR03MB442namprd_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jan 2016 20:23:20.3180 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444
Archived-At: <>
Subject: Re: [OAUTH-WG] WG Action: Rechartered Web Authorization Protocol (oauth)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Jan 2016 20:23:43 -0000

From: The IESG<>
Sent: ‎1/‎22/‎2016 12:02 PM
To: IETF-Announce<>
Cc:<>; The IESG<>;<>
Subject: [OAUTH-WG] WG Action: Rechartered Web Authorization Protocol (oauth)

The Web Authorization Protocol (oauth) WG in the Security Area of the
IETF has been rechartered. For additional information, please contact the
Area Directors or the WG Chairs.

Web Authorization Protocol (oauth)
Current status: Active WG

  Hannes Tschofenig <>
  Derek Atkins <>

Assigned Area Director:
  Kathleen Moriarty <>

Mailing list:
  To subscribe:


The Web Authorization (OAuth) protocol allows a user to grant a
third-party web site or application access to the user's protected
resources, without necessarily revealing their long-term credentials,
or even their identity. For example, a photo-sharing site that
supports OAuth could allow its users to use a third-party printing web
site to print their private pictures, without allowing the printing
site to gain full control of the user's account and without having the
user share his or her photo-sharing sites' long-term credential with
the printing site.

The OAuth 2.0 protocol suite already includes

* a procedure for enabling a client to register with an authorization
* a protocol for obtaining authorization tokens from an authorization
  server with the resource owner's consent, and
* protocols for presenting these authorization tokens to protected
  resources for access to a resource.

This protocol suite has been enhanced with functionality for
interworking with legacy identity infrastructure (such as SAML), token
revocation, token exchange, dynamic client registration, token
introspection, a standardized token format with the JSON Web Token, and
specifications that mitigate security attacks, such as Proof Key for
Code Exchange.

The ongoing standardization efforts within the OAuth working group
focus on increasing interoperability of OAuth deployments and to
improve security. More specifically, the working group is defining proof
of possession tokens, developing a discovery mechanism, providing
guidance for the use of OAuth with native apps, re-introducing
the device flow used by devices with limited user interfaces, additional
security enhancements for clients communicating with multiple service
providers, definition of claims used with JSON Web Tokens, techniques to
mitigate open redirector attacks, as well as guidance on encoding state

For feedback and discussion about our specifications please
subscribe to our public mailing list at <oauth AT>.

For security related bug reports that relate to our specifications
please contact <oauth-security-reports AT>. If the reported
bug report turns out to be implementation-specific we will attempt
to forward it to the appropriate developers.

  Feb 2016 - Submit 'Request by JWS ver.1.0 for OAuth 2.0' to the IESG
for consideration as a Proposed Standard
  Apr 2016 - Submit 'Proof-of-Possession OAuth Security' document bundle
for consideration as a Proposed Standard
  Jul 2016 - Submit 'OAuth 2.0 Token Exchange' to the IESG for
consideration as a Proposed Standard

OAuth mailing list