Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Sun, 25 November 2018 18:22 UTC
Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE3501288EB for <oauth@ietfa.amsl.com>; Sun, 25 Nov 2018 10:22:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1cTW88zm8v0y for <oauth@ietfa.amsl.com>; Sun, 25 Nov 2018 10:22:56 -0800 (PST)
Received: from mail-it1-x136.google.com (mail-it1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5691412D84C for <oauth@ietf.org>; Sun, 25 Nov 2018 10:22:56 -0800 (PST)
Received: by mail-it1-x136.google.com with SMTP id b5so24228484iti.2 for <oauth@ietf.org>; Sun, 25 Nov 2018 10:22:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VdWCRf+4iNUxg99UqU1EiJVplXPjcjWy35gIsVPjk/o=; b=u8ZZXVkp169ymTaESR7m3zizsh1PZg0Z1IsOYO3rZF9LdojtvazSB5UIuIb73yTNaF ucloTA3gvuKt9MDT0CybRyxqfTDItjWCWj6l265PVbtoBeH+ma/XeuYgzEbH3rTLJ4/R Fn2kCD5AIQw3AIrlvWBvjeF+Pni4Tvlrg7zMalxL2jGr9Ob0hKPX7ry1HKxC/xRVzS6X 1w7VVWX4hCIogOCG8xEDQ5Ur4pXvfFcwh044qQbytDev7uvS+Kruh7kLIdtiq1LyxuHo Zu3K12/X/4SLDSDKNnTZRem9WurwaV6idTxLY4etkH9QIg1DHzJGD1ZzR4xoC7SpS8yV GVkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VdWCRf+4iNUxg99UqU1EiJVplXPjcjWy35gIsVPjk/o=; b=abT4wW42QXGX5fGYxZnI7Z1QFtw00CCM2xNvYZPoH25k3FHbabAgPp7jMpa+aEsU1O HVrk5GFx1VoRRqiAKw5503McCQ6JjGj+tYm8+sWK8yxZ5Q9rbNuKRLd1ZOFyYgj9o7gP w281Kap+mt8ydC+IJIRtIJanO8zEUCEJR66pSE+JO7atdGewdik7m7DDRvVvYuLCWQY8 EEOF3E3ZDwNwT/yTgR1HOLi2Ha/3fOpHvCy/uLjxO6E/S/0/0ADNZHH7pBIky9Bz5tne 3MduldOhIfepexvJwAoq7S+EYbvVuseehIYyaYWuo36hMML4Q0suOUE+8ZTL8XOP6tuu I1Yg==
X-Gm-Message-State: AA+aEWY6ywLshmIZ3d9doEZxjxCb6X61Qs4f5gvEDGvCukM7okaj80j1 iN8tomNQGE0v/I8uUu1CEZUsqtS1UtPZSBjvkcL10Q==
X-Google-Smtp-Source: AFSGD/WpgWvA/Za50wLSkiIr+hN9g17MOsCv3+O3awfRbEJThBOlT4l9bUu5yabRtNGNv1AbyFWvrJw9XvMI2h29jB4=
X-Received: by 2002:a24:76d0:: with SMTP id z199mr8648034itb.165.1543170175508; Sun, 25 Nov 2018 10:22:55 -0800 (PST)
MIME-Version: 1.0
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <BL0PR00MB029244CACC634E2D2E923B77F5D80@BL0PR00MB0292.namprd00.prod.outlook.com> <61A6D327-D4EE-4954-B57F-4FF42BB22E7E@lodderstedt.net> <90e0cb05-5245-1a67-4eca-16996e7db2fc@ve7jtb.com> <DM5PR00MB02937F639067DC15DC9D80D4F5D90@DM5PR00MB0293.namprd00.prod.outlook.com> <3485431a-74fc-408e-5360-c87c4bafc1fa@aol.com> <CAANoGhKNnQ-o-bBT+kL71d=pjAC_C6qS-2a5TCgE8CnzL1f6cA@mail.gmail.com> <ADF0AB95-6B6A-4535-B22D-29E69B216CE7@lodderstedt.net> <21a00a22-0524-07de-ac0e-77d597e5a9a1@aol.com> <DDC7F811-9F95-48B4-AC80-C92C638B7690@lodderstedt.net> <CA+iA6uhGnuYFboB+afq2W46OO5mHcLCby7zLkDA2bxy-9=CZBg@mail.gmail.com> <0263F10B-0CDA-4CE4-A5B0-06221C1673B8@lodderstedt.net>
In-Reply-To: <0263F10B-0CDA-4CE4-A5B0-06221C1673B8@lodderstedt.net>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Sun, 25 Nov 2018 13:22:44 -0500
Message-ID: <CAGL6ep+LpiMmRv6EUs6WWdL90sZ=AQwxRaFXJFbp=755G=yU8w@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000023a94d057b814e96"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ctniQ9v6NNDYEuW3yxHoMLKndMY>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Nov 2018 18:23:00 -0000
Hi Torsten, I am assuming that these recommendations are mainly for Public Clients, not Confidential Clients; is that correct? Regards, Rifaat On Sun, Nov 25, 2018 at 12:33 PM Torsten Lodderstedt < torsten@lodderstedt.net> wrote: > Hi all, > > I would like to state again what the proposal of the authors of the > Security BCP is: > > Here is the respective text from the draft: > > —— > > 2.1.2. Implicit Grant > > The implicit grant (response type "token") and other response types > causing the authorization server to issue access tokens in the > authorization response are vulnerable to access token leakage and > access token replay as described in Section 3.1, Section 3.2, Section > 3.3, and Section 3.6. > > Moreover, no viable mechanism exists to cryptographically bind access > tokens issued in the authorization response to a certain client as it > is recommended in Section 2.2. This makes replay detection for such > access tokens at resource servers impossible. > > In order to avoid these issues, Clients SHOULD NOT use the implicit > grant or any other response type causing the authorization server to > issue an access token in the authorization response. > > Clients SHOULD instead use the response type "code" (aka > authorization code grant type) as specified in Section 2.1.1 or any > other response type that causes the authorization server to issue > access tokens in the token response. This allows the authorization > server to detect replay attempts and generally reduces the attack > surface since access tokens are not exposed in URLs. It also allows > the authorization server to sender-constrain the issued tokens. > —— > > In my observation, discouraging implicit seems to be the less > controversial issue. > > „or any other response type causing the authorization server to issue an > access token in the authorization response.“ in the 3rd paragraph caused > discussions because it suggests to discourage developers from using ANY > response type issuing access tokens in the authorization response. This > includes OIDC’s response types „token id_token“, „code token“ & „code token > id_token“, where at least „token id_token“ is used in the wild to > implement SPAs. > > Why did we come up with this proposal given at least „token id_token“ & > „code token id_token“ protect against injection? > > Two reasons: > > 1) „token id_token“ does not support sender constrained tokens. Also use > of refresh tokens to frequently issue new live-time and privilege > restricted access tokens is not supported. „code token id_token“ seems more > complex than just „code“+pkce for achieving the same goal. > > 2) Protection against token leakage is rather thin and fragile. There is > just a single line of defense (CSP, open redirection prevention, browser > history manipulation) implemented by the client. > > Daniel and I collected some more information and argument at > https://github.com/tlodderstedt/oauth2_spa/blob/master/README.md that you > might like to give a read. > > My conclusion after 2 weeks of intensive discussions with SPA developers > (mostly on twitter): code+pkce is the more secure, simpler, and more > versatile approach to (also) implement SPAs. I prefer to approach > developers with a clean and robust message instead of a lengthy description > of what needs to go right in order to secure a SPA using OAuth. That’s why > I think code+pkce should be the recommendation of our working group. > > So please vote in favor of our proposal. I think that’s a huge improvement > for OAuth. > > kind regards, > Torsten. > > > > Am 25.11.2018 um 12:55 schrieb Hans Zandbelt <hans.zandbelt@zmartzone.eu > >: > > > > I strongly support the recommendation of using code instead of implicit. > I do so based on my own experience in the field [1] and stick to that also > after reading the comments and (what I would call) workarounds on this > thread. > > > > Hans. > > > > [1] > https://hanszandbelt.wordpress.com/2017/02/24/openid-connect-for-single-page-applications/ > > > > On Thu, Nov 22, 2018 at 5:45 AM Torsten Lodderstedt < > torsten@lodderstedt.net> wrote: > > that’s certainly true, but that might by a web server with static > content only. > > > > If the server is a real backend, there is even less reasons to use a > implicit or hybrid. No even a performance gain in comparison to code. > > > > Am 21..11.2018 um 14:24 schrieb George Fletcher <gffletch@aol.com>: > > > >> An SPA has a backend because it has to be loaded from somewhere :) > >> > >> On 11/21/18 3:47 AM, Torsten Lodderstedt wrote: > >>> We had a discussion about this topic on Twitter > https://twitter.com/Apl3b/status/1064854507606208513 > >>> > >>> > >>> Outcome is POST requires a backend to receive the request so it’s not > a viable solution for SPAs. > >>> > >>> > >>>> Am 20.11.2018 um 23:29 schrieb John Bradley <ve7jtb@ve7jtb.com> > >>>> : > >>>> > >>>> Post response works OK for server based clients. I don't think POST > works for single page applications. > >>>> > >>>> Basically that would be something more like postmessage between two > JS apps. > >>>> > >>>> Postmessage also has security issues passing a access token and > leaking. > >>>> > >>>> Perhaps someone more familiar with SPA can comment on POST. > >>>> > >>>> John B. > >>>> > >>>> > >>>> > >>>> On Tue, Nov 20, 2018, 6:40 PM George Fletcher < > >>>> gffletch@aol.com > >>>> wrote: > >>>> Hi Mike, > >>>> > >>>> The Form Post Response Mode keeps the access_token out of the URL, > but it doesn't prevent the token from traversing through the browser. So a > man-in-the-browser attack may be able to intercept the values. It should > help with leakage in logs. > >>>> > >>>> Thanks, > >>>> George > >>>> > >>>> On 11/20/18 4:00 PM, Mike Jones wrote: > >>>> > >>>>> Next question – doesn’t using the Form Post Response Mode > https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html > >>>>> mitigate the threats you’re describing below John? If so, I > believe the Security Topics draft should say this. > >>>>> > >>>>> > >>>>> > >>>>> I believe we owe it to readers to present the complete picture, > which is why I believe that describing profiles using ID Tokens and the > Form Post Response Mode are in scope. > >>>>> > >>>>> > >>>>> > >>>>> -- Mike > >>>>> > >>>>> > >>>>> > >>>>> From: OAuth > >>>>> <oauth-bounces@ietf.org> > >>>>> On Behalf Of John Bradley > >>>>> Sent: Tuesday, November 20, 2018 7:47 AM > >>>>> To: > >>>>> oauth@ietf.org > >>>>> > >>>>> Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend > authorization code instead of implicit > >>>>> > >>>>> > >>>>> > >>>>> Yes the at_hash protects the client from accepting an injected AT. > >>>>> > >>>>> Unfortunately it doesn't do anything to protect against leakage in > logs or redirects. > >>>>> > >>>>> So without the AT using some sort of POP mechanism it is hard to say > sending it in a redirect is a good security practice. > >>>>> > >>>>> John B. > >>>>> > >>>>> On 11/20/2018 4:35 AM, Torsten Lodderstedt wrote: > >>>>> > >>>>> Hi Mike, > >>>>> > >>>>> I agree that OIDC hybrid flows offer additional security over the > OAuth implicit grant and are used in the wild. On my slides and in the > initial version of the new section, we had included the hybrid OIDC flows > because of their known token injection countermeasures. > >>>>> > >>>>> I nevertheless feel very uncomfortable to recommend those flows and > any flow issuing access tokens in the front channel. In the course of the > detailed review of the new text we realized two issues: > >>>>> > >>>>> 1) Since the access token is exposed in the URL, such flows possess > a significantly higher risk to leak the access token (e.g. through browser > history, open redirection and even referrer headers) than the code grant. > >>>>> 2) There is no viable way to sender constrain access tokens issued > in the front channel. Given the WG decided to recommend use of sender > constraint tokens ( > >>>>> > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09#section-2...2 > >>>>> ), it seems contradictory to recommend response types not supporting > such an approach. > >>>>> > >>>>> kind regards, > >>>>> Torsten. > >>>>> > >>>>> Am 19.11.2018 um 23:13 schrieb Mike Jones > >>>>> <Michael.Jones=40microsoft.com@dmarc.ietf.org> > >>>>> : > >>>>> > >>>>> This description of the situation is an oversimplification.. OpenID > Connect secures the implicit flow against token injection attacks by > including the at_hash (access token hash) in the ID Token, enabling the > client to validate that the access token was created by the issuer in the > ID Token (which is also the OAuth Issuer, as described in RFC 8414). (Note > that this mitigation was described in draft-ietf-oauth-mix-up-mitigation.) > >>>>> > >>>>> Given the prevalence of this known-good solution for securing the > implicit flow, I would request that the draft be updated to describe this > mitigation. At the same time, I’m fine with the draft recommending the > code flow over the implicit flow when this mitigation is not used. > >>>>> > >>>>> > Thank you, > >>>>> -- > Mike > >>>>> > >>>>> From: OAuth > >>>>> <oauth-bounces@ietf.org> > >>>>> On Behalf Of Hannes Tschofenig > >>>>> Sent: Monday, November 19, 2018 2:34 AM > >>>>> To: oauth > >>>>> <oauth@ietf.org> > >>>>> > >>>>> Subject: [OAUTH-WG] OAuth Security Topics -- Recommend authorization > code instead of implicit > >>>>> > >>>>> Hi all, > >>>>> > >>>>> The authors of the OAuth Security Topics draft came to the > conclusion that it is not possible to adequately secure the implicit flow > against token injection since potential solutions like token binding or > JARM are in an early stage of adoption. For this reason, and since CORS > allows browser-based apps to send requests to the token endpoint, Torsten > suggested to use the authorization code instead of the implicit grant in > call cases in his presentation (seehttps:// > >>>>> > datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessb-draft-ietf-oauth-security-topics-01 > >>>>> ). > >>>>> > >>>>> A hum in the room at IETF#103 concluded strong support for his > recommendations. We would like to confirm the discussion on the list. > >>>>> > >>>>> Please provide a response by December 3rd. > >>>>> > >>>>> Ciao > >>>>> Hannes & Rifaat > >>>>> > >>>>> IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > >>>>> _______________________________________________ > >>>>> OAuth mailing list > >>>>> > >>>>> OAuth@ietf.org > >>>>> https://www.ietf.org/mailman/listinfo/oauth > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> OAuth mailing list > >>>>> > >>>>> OAuth@ietf.org > >>>>> https://www.ietf.org/mailman/listinfo/oauth > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> OAuth mailing list > >>>>> > >>>>> > >>>>> OAuth@ietf.org > >>>>> https://www.ietf.org/mailman/listinfo/oauth > >>>> _______________________________________________ > >>>> OAuth mailing list > >>>> > >>>> OAuth@ietf.org > >>>> https://www.ietf.org/mailman/listinfo/oauth > >> > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > -- > > hans.zandbelt@zmartzone.eu > > ZmartZone IAM - www.zmartzone.eu > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] OAuth Security Topics -- Recommend aut… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Mike Jones
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Aaron Parecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Mike Jones
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hans Zandbelt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Antonio Sanso
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Antonio Sanso
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… William Denniss
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Nat Sakimura
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… n-sakimura
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… William Denniss
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Petteri Stenius
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… William Denniss
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dave Tonge
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Willeke
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Aaron Parecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dominick Baier
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Marius Scurtescu
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Justin Richer
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nov Matake
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nov Matake
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brock Allen
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt