Re: [OAUTH-WG] draft-fett-oauth-dpop-00
George Fletcher <gffletch@aol.com> Wed, 03 April 2019 16:01 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DD1C120104 for <oauth@ietfa.amsl.com>; Wed, 3 Apr 2019 09:01:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KIkyooofx1Ji for <oauth@ietfa.amsl.com>; Wed, 3 Apr 2019 09:01:41 -0700 (PDT)
Received: from sonic313-13.consmr.mail.bf2.yahoo.com (sonic313-13.consmr.mail.bf2.yahoo.com [74.6.133.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A6D91200F7 for <oauth@ietf.org>; Wed, 3 Apr 2019 09:01:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1554307297; bh=JtjKVEl9NOH4dm+GCXm1BWhPgPnTgKGXVTqN7Ue6hgw=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=Tp1CbdfrzFvHQDi8k7j1jTOddUhkOJ6O4wRB0wPfIQPr19HFS7ESDQgV0tBMTX8Jb+49RDPsQKnWkQgns8fLBSY1801pqEay85wzF3+efnVODPg/rUzZZz7/D5SqYWuAQSLqwUu5ldUik6OiP2LcWixpPcsZhApMYIBESH8fl1hylrBbguZ/6EO0RWYOplbJUl2KNC65u+8peu/zAxpeDCbr9LTiY3DNQNiPKT9ymcXA4Np+pQUzo+NkcQuJ863vxaKzFvhAaSxGDznTa5PhfMDub9+1BNuagW8Cr8Pn46T1ZmETX4vIGrwSYqLCZHuYWQ09LJ/ogId6vX/QYwzmxg==
X-YMail-OSG: eMhI1iYVM1kp7SRgd7_joPNhUlXWcKd9hKd4Qcz9dlq.6IfWR994x17.A.c962T D9M5fiWLZ7ogDnbGdFqfu3MsYFlSz6tTQvD10DmeVTN6NY7r6eFPeaRM3DUei3nHDdJmRf6sdigX OIyHkt5Inp1e5PjBjEJ3V7RsorZ24gSEleHOsorpHleec5Qi_rTaH4YjFWC00jwFtaHOfLakw3n1 BnDq135j1l8mhqJTLeSp_pJXCgIOa1epVjW3y1TakYyBzskmk3iXvp35OIGZILXHYqa_C7bfLDpg BYdigefPsBR77t82DUs1Il1EqXa2iYI.fDfgIpO0AiIG.9CCuH0EyOfdragpVUiw85sEELsOIWWm pLqP1ZsHP0EKoZSy.UbW6xgzbUxVhX5HkUAN.64N3zjkyZDtJoMIvh3TuMKamkbLE7LsvA..F6Vk 573BK8fb.uXlQctQFp8GKmiIVjSF1ULH4fYptJOpwvUcnrhuAM528j.zata6MuAKqX.rnq04oGgX tOftu08mCe0p9mjLwUpi.bOKd3LNRTwmeHd0IWL9Hy7hA4j792n4KXx8lR8nh_pRPSMNqCrJTVWQ TyaGtG5jHuVdL3pdkqmCgodLrX4W6_atirHjBIAjRE7dumDCUOAas0lQ6sYZD_8UqZDG1mfTyR67 znmhh9C.0s.eYYNrI7D0TsdGPwlqoSYZUqxKJuYR.tSXYgXJi5jIa0E5h7qGzxfGaR6v0LBMfURC NvV2bUpV_1PKVzVWIKbJH1caVEVq7gn1mkLRthHwNVJViASJWKewgsCkWFhCiZ0tXRuV9PVplJFd a9VeAXkCY1KDxYZdfV16A4_ACEu2zxKRyrkL6DN3Lw4OfsUQus0HTUojUuHt8yh0ZVL43L6f7k99 zv43fDcQjM_mYTTvipzJj3mFKe3rLQXcI.eZ1y1Q1SUDsirKtBaGKBxpFN3RzIbHNeJ_vP5EQ5gW JCbli6U_yWNJs94YqMTbTu9bHYTWWUEbUO2jJLoVGO79owGCgGVDTpyTWUT2D7okcIK3bF1epbyf 7myPe0RQR9Sw2qDBPaiWKrgHzekiTs7dJUbd._C8XwaOZj4AGCCNdi1DhSZ6U3DPzHKZ673m8
Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.bf2.yahoo.com with HTTP; Wed, 3 Apr 2019 16:01:37 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp416.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 9751ee5ac67215621c039d8808e3a857; Wed, 03 Apr 2019 16:01:35 +0000 (UTC)
To: Daniel Fett <danielf+oauth@yes.com>, oauth@ietf.org
References: <0a9af6f6-1b5d-244d-06af-9d14461b1d69@yes.com> <4c849a55-013c-c606-8877-ae39a6ab79ff@aol.com> <435a1adb-6293-8745-96e8-d608f7dd934f@yes.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <458bb5b9-f31f-4564-ae13-bc9f17a3fa4a@aol.com>
Date: Wed, 03 Apr 2019 12:01:34 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <435a1adb-6293-8745-96e8-d608f7dd934f@yes.com>
Content-Type: multipart/alternative; boundary="------------ED3268A93F0B083521760516"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cAsmo4VkpXe0Jz_Vu8GeIjuEUmE>
Subject: Re: [OAUTH-WG] draft-fett-oauth-dpop-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2019 16:01:43 -0000
Perfect! Thank you! A couple comments on version 01...
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
DPoP-Binding: eyJhbGciOiJSU0ExXzUi ...
grant_type=authorization_code
&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
(remainder of JWK omitted for brevity)
I believe the "(remainder of JWK..." should be moved to the DPoP-Binding
header...
Also, there is no discussion of the DPoP-Binding header outside of the
token request, but I suspect that is the desired way to communicate the
DPoP-Proof to the RS.
Possibly an example in the session for presenting the token to the RS
would help.
Thanks,
George
On 4/3/19 11:39 AM, Daniel Fett wrote:
> This is fixed in -01:
>
> https://tools.ietf.org/html/draft-fett-oauth-dpop-01
>
> -Daniel
>
> Am 03.04.19 um 17:28 schrieb George Fletcher:
>> A quick question regarding...
>>
>> o "http_uri": The HTTP URI used for the request, without query and
>> fragment parts (REQUIRED).
>>
>> Is 'without' supposed to be 'with' ? The example shows the http_uri
>> *with* the query parameters :)
>>
>> On 3/28/19 6:17 AM, Daniel Fett wrote:
>>>
>>> Hi all,
>>>
>>> I published the first version of the DPoP draft at
>>> https://tools.ietf.org/html/draft-fett-oauth-dpop-00
>>>
>>> Abstract
>>>
>>> This document defines a sender-constraint mechanism for OAuth 2.0
>>> access tokens and refresh tokens utilizing an application-level
>>> proof-of-possession mechanism based on public/private key pairs.
>>>
>>> Thanks for the feedback I received so far from John, Mike, Torsten,
>>> and others during today's session or before!
>>>
>>> If you find any errors I would welcome if you open an issue in the
>>> GitHub repository at https://github.com/webhamster/draft-dpop
>>>
>>> - Daniel
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
- [OAUTH-WG] draft-fett-oauth-dpop-00 Daniel Fett
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Mike Jones
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Ludwig Seitz
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Filip Skokan
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Filip Skokan
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 rich levinson
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Brian Campbell
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Ludwig Seitz
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 George Fletcher
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Daniel Fett
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 George Fletcher
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Phil Hunt
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Justin Richer
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Brian Campbell
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Justin Richer
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 David Waite
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Simon Moffatt