IETF Logo Mail Archive

Re: [OAUTH-WG] JWT - scope claim missing

Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> Mon, 11 March 2013 16:11 UTC

Return-Path: <Adam.Lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C37E11E80FF for <oauth@ietfa.amsl.com>; Mon, 11 Mar 2013 09:11:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[AWL=1.200, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_82=0.6, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id re7gUwbrDLSm for <oauth@ietfa.amsl.com>; Mon, 11 Mar 2013 09:11:02 -0700 (PDT)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe004.messaging.microsoft.com [207.46.163.27]) by ietfa.amsl.com (Postfix) with ESMTP id 516DD11E80EF for <oauth@ietf.org>; Mon, 11 Mar 2013 09:11:02 -0700 (PDT)
Received: from mail1-co9-R.bigfish.com (10.236.132.243) by CO9EHSOBE005.bigfish.com (10.236.130.68) with Microsoft SMTP Server id 14.1.225.23; Mon, 11 Mar 2013 16:11:01 +0000
Received: from mail1-co9 (localhost [127.0.0.1]) by mail1-co9-R.bigfish.com (Postfix) with ESMTP id 7B8864C02F2 for <oauth@ietf.org>; Mon, 11 Mar 2013 16:11:01 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:192.160.210.14; KIP:(null); UIP:(null); IPV:NLI; H:ct11msg02.am.mot-solutions.com; RD:ct11msg02.mot-solutions.com; EFVD:NLI
X-SpamScore: -32
X-BigFish: VPS-32(zzbb2dI98dI9371Ic89bh936eIc85dh1432I179cI179dNzz1f42h1ee6h1de0h1202h1e76h1d1ah1d2ahzz8275ch1033IL177df4h17326ah8275dh18c673h1954cbh18602eh8275bhz2fh2a8h683h839hd25hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1155h)
Received-SPF: pass (mail1-co9: domain of motorolasolutions.com designates 192.160.210.14 as permitted sender) client-ip=192.160.210.14; envelope-from=Adam.Lewis@motorolasolutions.com; helo=ct11msg02.am.mot-solutions.com ; olutions.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.237.133; KIP:(null); UIP:(null); (null); H:BY2PRD0411HT004.namprd04.prod.outlook.com; R:internal; EFV:INT
Received: from mail1-co9 (localhost.localdomain [127.0.0.1]) by mail1-co9 (MessageSwitch) id 1363018258163454_31048; Mon, 11 Mar 2013 16:10:58 +0000 (UTC)
Received: from CO9EHSMHS017.bigfish.com (unknown [10.236.132.243]) by mail1-co9.bigfish.com (Postfix) with ESMTP id 17B0526008D for <oauth@ietf.org>; Mon, 11 Mar 2013 16:10:58 +0000 (UTC)
Received: from ct11msg02.am.mot-solutions.com (192.160.210.14) by CO9EHSMHS017.bigfish.com (10.236.130.27) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 11 Mar 2013 16:10:54 +0000
Received: from ct11msg02.am.mot-solutions.com (ct11vts01.am.mot.com [10.177.16.159]) by ct11msg02.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id r2BGB6xL002355 for <oauth@ietf.org>; Mon, 11 Mar 2013 12:11:06 -0400 (EDT)
Received: from CO9EHSOBE035.bigfish.com (co9ehsobe005.messaging.microsoft.com [207.46.163.28]) by ct11msg02.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id r2BGB4ja002346 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Mon, 11 Mar 2013 12:11:05 -0400 (EDT)
Received: from mail116-co9-R.bigfish.com (10.236.132.237) by CO9EHSOBE035.bigfish.com (10.236.130.98) with Microsoft SMTP Server id 14.1.225.23; Mon, 11 Mar 2013 16:10:52 +0000
Received: from mail116-co9 (localhost [127.0.0.1]) by mail116-co9-R.bigfish.com (Postfix) with ESMTP id EDDD6240207 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Mon, 11 Mar 2013 16:10:51 +0000 (UTC)
Received: from mail116-co9 (localhost.localdomain [127.0.0.1]) by mail116-co9 (MessageSwitch) id 1363018248815087_2365; Mon, 11 Mar 2013 16:10:48 +0000 (UTC)
Received: from CO9EHSMHS032.bigfish.com (unknown [10.236.132.245]) by mail116-co9.bigfish.com (Postfix) with ESMTP id B904D540076; Mon, 11 Mar 2013 16:10:48 +0000 (UTC)
Received: from BY2PRD0411HT004.namprd04.prod.outlook.com (157.56.237.133) by CO9EHSMHS032.bigfish.com (10.236.130.42) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 11 Mar 2013 16:10:46 +0000
Received: from BY2PRD0411MB441.namprd04.prod.outlook.com ([169.254.5.10]) by BY2PRD0411HT004.namprd04.prod.outlook.com ([10.255.128.39]) with mapi id 14.16.0275.006; Mon, 11 Mar 2013 16:10:46 +0000
From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
To: Phil Hunt <phil.hunt@oracle.com>, John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] JWT - scope claim missing
Thread-Index: AQHOFZ6Qe5ExGqoPnkOeJlU0r70rz5iPcwoAgAAB5gCAAAWJgIAABAMAgAAIM4CAAAN2AIAACPeAgAAGkICAAAeWAIAAAR2AgAAILoCAACqKMIAQ3nqvgAAE2hA=
Date: Mon, 11 Mar 2013 16:10:46 +0000
Message-ID: <59E470B10C4630419ED717AC79FCF9A956897044@BY2PRD0411MB441.namprd04.prod.outlook.com>
References: <0EC2404F-E3C5-4AD1-88B4-E74AA0394DD9@gmx.net> <C75E4871-E907-4EF7-BAF0-9D1A172D581B@ve7jtb.com> <CA6A6425-D0CE-469F-B51E-9F296DA8041C@oracle.com> <CA+k3eCREgN+6z+U=jjJcPo0nZVR0GWn5zXeecZRO+rg=xd-gZg@mail.gmail.com> <A2375FE9-946F-46B3-9356-0709DD56BD4A@ve7jtb.com> <48FD87D1-4DF4-4289-99B7-40A515F31890@oracle.com> <3E472720-31A4-40A0-AAA4-402CF850831A@ve7jtb.com> <7127843B-D7B0-4AB6-87F1-1604D1EFFA79@oracle.com> <50DA292F-32F0-4266-8401-006AD837B775@ve7jtb.com> <CA+k3eCSyE3cPMh17XuivbUZUtHY=RAtjV1UeCdW6gGFk+gv02A@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A948D58BEE@BY2PRD0411MB441.namprd04.prod.outlook.com> <CA+k3eCSD3EqtNC0Z--+HKwENW9pbzCNGp2_LyVp0bAphvThnRA@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A948D58DC0@BY2PRD0411MB441.namprd04.prod.outlook.com> <CABzCy2D=DTes1HZumJVURdoLVz9KgxAFXqe_fKydd8VYSgCUrA@mail.gmail.com> <FD9716CE-E7D1-42C7-91C7-8ADC9056B3B8@oracle.com> <59E470B10C4630419ED717AC79FCF9A956893F49@BY2PRD0411MB441.namprd04.prod.outlook.com>! ! <3C571C43-C53A-4385-8ADF-FB2A7E788B29@oracle.com> <EA0F42AE-54CF-4DE9-AEAC-A7B2531958D5@ve7jtb.com> <32C1936C-0922-4F1E-AF5F-C6E1C550602A@oracle.com>
In-Reply-To: <32C1936C-0922-4F1E-AF5F-C6E1C550602A@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [150.130.164.106]
Content-Type: multipart/alternative; boundary="_000_59E470B10C4630419ED717AC79FCF9A956897044BY2PRD0411MB441_"
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%ORACLE.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%VE7JTB.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-CFilter-Loop: Reflected
X-OriginatorOrg: motorolasolutions.com
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT - scope claim missing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2013 16:11:11 -0000

"Many people don't want a separate RS to AS communication channel. So the token should give the RS everything it needs.  So if scope was intended to be defined in terms of what the RS understands, then of course, the RS needs to know what was authorized."

This is my scenario, to be exact.  Development teams have given me pretty unequivocal feedback that the token they receive, they must be able to validate and process autonomously without having to reach back to the AS.  This is why I am looking to profile (for my use cases) the AT to be a structured JWT since this meets the demands of my developers.

This was actually proving to be difficult (utilizing the standard) since JWT was initially meant to audience restrict the token to the client; but with the new changes it seems I'll be able to use the standard as-is, and include an audience=RS claim.

adam

From: Phil Hunt [mailto:phil.hunt@oracle.com]
Sent: Monday, March 11, 2013 10:45 AM
To: John Bradley
Cc: Lewis Adam-CAL022; "WG <oauth@ietf.org>"@il06exr01.mot.com
Subject: Re: [OAUTH-WG] JWT - scope claim missing

I think we have a different view on what the AS and RS should be doing... see below.


Phil

@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>




On 2013-03-11, at 11:08 AM, John Bradley wrote:


Some thing that scopes are a  stupidly vague bucket of stuff inferring something about a permission for an action against a resource.

Sure. I think intent of the WG was that scopes be undefined but that that they would be highly localized to specific resource services.


If people want to send the scopes that were sent from the the client to the authorization server to the RS that is fine.

Scopes are intended for Client to AS communication and the scopes granted are returned outside the token and a client should never be snooping into the access token.

I don't agree.  Scope was always intended to be a set of rights understandable to  specific narrow scope of resource/apps.  Many people don't want a separate RS to AS communication channel. So the token should give the RS everything it needs.  So if scope was intended to be defined in terms of what the RS understands, then of course, the RS needs to know what was authorized.

That still doesn't preclude an AS taking a complex bearer authorization and enabling the richness you mention.


I would object to requiring that Scopes be the only or even preferred mechanism for communicating authorization for resources to the RS.

I believe that the access token should have authorization information (including scope) and identity claims about authorizing user, client, if useful to the resource.  The most important is what the AS has authorized --- including scope.


Audience principal and other members of the JWT provide much richer opportunities to communicate permissions to the RS.

I don't think richness is the objective. The AS has the richness, but its job is to narrow down richness (complexity) and simplify for the resource server.


Al top level members of the JWT are called claims so if you add a scopes claim with a string containing the space separated scope strings if you like but it is a claim like the others.

JWT is extensible and you can add that,  It doesn't need to be in the core set of JWT claims.

Other than that I have no opinion:)

John B.

On 2013-03-11, at 9:47 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:


I agree. Many have been suggesting audience. But my gut feeling matches yours.

Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>




On 2013-03-11, at 10:36 AM, Lewis Adam-CAL022 wrote:


I would not even want to confuse audience with scope.  Maybe in the simplest of cases, where there is a one-to-one mapping between scope and audience, but in reality the RS could expose multiple APIs at the same endpoint.  Granted the RS could extract the audience field based on a fully qualified scope, but it just seems that claims, scopes, and audiences are each unique and should be kept that way.

adam

From: Phil Hunt [mailto:phil.hunt@oracle.com<http://oracle.com/>]
Sent: Monday, March 11, 2013 9:25 AM
To: Nat Sakimura
Cc: Lewis Adam-CAL022; oauth@ietf.org<mailto:oauth@ietf.org> WG
Subject: Re: [OAUTH-WG] JWT - scope claim missing

One thing that concerns me is that scope is very different from a claim. An claim is an assertion provided that may have some level of dispute/quality etc.

A scope defines what is request or what has been authorized.  It's an absolute thing. Therefore it is not a claim. Audience...maybe.

This is why I think scope deserves special attention/discussion in authorization assertions and in access tokens.

Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>





On 2013-03-10, at 9:17 PM, Nat Sakimura wrote:



So, it is soooo late in the game: I have been completely underwater to even read the OAuth mails for about a month and slowly catching up now.

Here is an I-D that I have created partly in response to the RS-AS interaction piece that was talked about at IETF 85.
It does not have 'scope' and has 'claims' instead as it was based on OpenID Connect, but it is easy to add, provided that the scopes are to be understood as that of the 'aud'.

http://tools.ietf.org/id/draft-sakimura-oidc-structured-token-01.txt

Best,

Nat

2013/3/1 Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com<mailto:Adam.Lewis@motorolasolutions.com>>
Hmmm, I'm not so sure.  It depends where we all think OAuth is on its trajectory.  On one hand, OAuth has already seen an insanely massive amount of deployment.  On the other hand, RESTful APIs see no sign of slowing down.   Now I'm not going to go so far as Craig B. and say that everything and everyone will be API enabled in the future, but it sure is going to be a lot.  That being said, one could argue that even with all the OAuth implementation we've seen, that this is just the infancy of it.  Obviously a WG profile of a JWT-structured AT could not deprecate other forms (unstructured, SAML, etc.) but going  forward new developers may choose to embrace this, and in fact this could even be the guidance.   I agree with previous comments that Justin's introspection draft might be a good place to explore this.

adam

From: Brian Campbell [mailto:bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>]
Sent: Thursday, February 28, 2013 1:36 PM
To: Lewis Adam-CAL022
Cc: John Bradley; oauth@ietf.org<mailto:oauth@ietf.org> WG

Subject: Re: [OAUTH-WG] JWT - scope claim missing


I do agree that a WG profile of a JWT-structured access token could lend itself to interoperability and ultimately be a useful thing. But you are right that there already are many implementations out there in the wild (heck, I've written one myself) and that might make it difficult to standardize on something.
Because of that, and many other reasons, I don't want to try and add that to existing assertion drafts.

On Thu, Feb 28, 2013 at 12:13 PM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com<mailto:Adam.Lewis@motorolasolutions.com>> wrote:
Hi Brian, a few thoughts from somebody outside of the WG ...

As a newcomer to OAuth last year, I was initially confused by the titles.  It was confusing because we have SAML bearer *assertions* and JWT bearer *tokens* ... and as John just (begrudgingly) stated in this thread, the JWT is being used as an assertion in this profile (and in OIDC).  I think it will be difficult to find a good name for these profiles since they do two entirely different things (e.g. define a new grant type and define a new method of client authentication).  One could argue that as long as the WG is at it, then why not add a third section to the JWT profile, which talks about usage of JWT-structured bearer access tokens: it would not be any less related than the other two focuses of the doc.  Then the document could be called something simple like "profiles of JWT usage in OAuth" or something like that.

On one hand, it is probably naïve to think that an access token can be standardized in a profile given how many have already been released into the wild, but on the other hand, a WG profile of a JWT-structured access token could lend itself to interoperability, where AS implementations can advertise conformance to the profile and who knows ... maybe the RS's of the future will be good with this.

adam

From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>] On Behalf Of Brian Campbell
Sent: Thursday, February 28, 2013 1:03 PM
To: John Bradley
Cc: oauth@ietf.org<mailto:oauth@ietf.org> WG

Subject: Re: [OAUTH-WG] JWT - scope claim missing

I'm not sure anyone really "picked" the titles for the bearer token profiles. They just kind of evolved. And evolved in funny ways especially when client authn to the AS was added.
You won't hear me argue that the titles are "good" and this is not the first time there's been confusion about what they actually do. They define new grant types and new client authentication methods. They *do not* define an access token format or anything else about access tokens. JWT and SAML could be used for that but that's not what these drafts do.
Suggestions for better title(s) would be more than welcome.

Here's what they are now:

SAML 2.0 Bearer Assertion Profiles for OAuth 2.0
draft-ietf-oauth-saml2-bearer

JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
draft-ietf-oauth-jwt-bearer

Assertion Framework for OAuth 2.0
draft-ietf-oauth-assertions

On Thu, Feb 28, 2013 at 11:36 AM, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote:
Yes the title likely adds to the confusion given that the bearer tokens are not access tokens.

Things as separate from OAuth as the Firefox browerID spec use JWS signed JWTs.

The bearer token profiles for OAuth 2 are for OAuth2.

The JSON Web Token (JWT)<http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06> spec did not start in OAuth and is not OAuth specific.

A JWT is:

JSON Web Token (JWT)  A string representing a set of claims as a JSON

      object that is encoded in a JWS or JWE, enabling the claims to be

      digitally signed or MACed and/or encrypted.

So OAuth or other profiles may define claims to go in a JWT, but the JWT needs to itself only define the claims necessary for security processing.

John B.
PS that was a soft ball If you hadn't responded I would have been disappointed.  I din't pick the title for the bearer token profiles.


On 2013-02-28, at 10:12 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:

JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0

Note the title says "for OAuth2"

Sorry. Couldn't resist.

Phil

Sent from my phone.

On 2013-02-28, at 9:40, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote:
JWT is an assertion( I am probably going to regret using that word).

It is used in openID connect for id_tokens, it is used in OAuth for Assertion grant types and authentication of the client to the token endpoint.
http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-04






JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0

Dosen't define JWT's use for access tokens for the RS.

Bottom line JWT is for more than access tokens.

John B.

On 2013-02-28, at 9:28 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:

Are you saying jwt is not an access token type?

Phil

Sent from my phone.

On 2013-02-28, at 8:58, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote:
Yes, defining scope in JWT is the wrong place.   JWT needs to stick to the security claims needed to process JWT.

I also don't know how far you get requiring a specific authorization format for JWT, some AS will wan to use a opaque reference, some might want to use a user claim or role claim, others may use scopes,  combining scopes and claims is also possible.

Right now it is up to a AS RS pair to agree on how to communicate authorization.   I don't want MAC to be more restrictive than bearer when it comes to authorization between AS  and RS.

Hannes wanted to know why JWT didn't define scope.  The simple answer is that it is out of scope for JWT itself.   It might be defined in a OAuth access token profile for JWT but it should not be specific to MAC.

John B.
On 2013-02-28, at 8:44 AM, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:

I think John's point was more that scope is something rather specific to an OAuth access token and, while JWT is can be used to represent an access token, it's not the only application of JWT. The 'standard' claims in JWT are those that are believed (right or wrong) to be widely applicable across different applications of JWT. One could argue about it but scope is probably not one of those.
It would probably make sense to try and build a profile of JWT specifically for OAuth access tokens (though I suspect there are some turtles and dragons in there), which might be the appropriate place to define/register a scope claim.

On Thu, Feb 28, 2013 at 9:24 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:
Are you advocating TWO systems? That seems like a bad choice.

I would rather fix scope than go to a two system approach.

Phil

Sent from my phone.

On 2013-02-28, at 8:17, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote:

> While scope is one method that a AS could communicate authorization to a RS, it is not the only or perhaps even the most likely one.
> Using scope requires a relatively tight binding between the RS and AS,  UMA uses a different mechanism that describes finer grained operations.
> The AS may include roles, user, or other more abstract claims that the the client may (god help them) pass on to EXCML for processing.
>
> While having a scopes claim is possible, like any other claim it is not part of the JWT core security processing claims, and needs to be defined by extension.
>
> John B.
> On 2013-02-28, at 2:29 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>> wrote:
>
>> Hi Mike,
>>
>> when I worked on the MAC specification I noticed that the JWT does not have a claim for the scope. I believe that this would be needed to allow the resource server to verify whether the scope the authorization server authorized is indeed what the client is asking for.
>>
>> Ciao
>> Hannes
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org<mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth







_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email