IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

George Fletcher <gffletch@aol.com> Wed, 03 April 2019 20:48 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC5AC120256 for <oauth@ietfa.amsl.com>; Wed, 3 Apr 2019 13:48:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ioql8f4KFkNT for <oauth@ietfa.amsl.com>; Wed, 3 Apr 2019 13:48:45 -0700 (PDT)
Received: from sonic302-3.consmr.mail.bf2.yahoo.com (sonic302-3.consmr.mail.bf2.yahoo.com [74.6.135.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A921120158 for <oauth@ietf.org>; Wed, 3 Apr 2019 13:48:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1554324523; bh=UwsVwuMA8q7HfeQHdrRWUduhNVdCIB9D6l8N/x+trSQ=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=j6FU04dVZF26ZN0TtFIvzYfcjN6acf6gavwLw/2LdfNw0OED1fjN/1622hvxSO8pLgDBQ0XiCC6ZJdWG4lFm1BSdgtfbRp2DXO+BK2St5KH1IRJuMQ/+52NlH03EKiSpiBK3Nq8YqjSSN+Y37Zw+DiGxIiWLk62GVmc9fDx2n7jxOUX5NhVoPF7UXSxi8ZNY/0nFpDFswytVR2Tq7mzdF6KoCEVZJvF26CJa+aP/tImyRos9buaHsUPLANa1xnjGMTpI1GPZeYIqmFBGx7Hx7PPm/fZkoR2OCHfw9E5BvS56fGsQvEj2cxyogg975B4G+D1Tc8R4d0uen0Lii7+xIg==
X-YMail-OSG: O_CTEwMVM1nhLPC8KuMvMASxy3hAPAeQJNRa6IWjzPTswzpENogDgsKXLIPumaU f00Ha0SAF0j2FL2EtRF0XDO3xGi3uBTHcWcuWW.OmzhlUX9JJkANWbX3xr37JRpaXFyCob10cJdb iwuKp6V2SAhnx78OrlU1pw4wGVNxBQ_Ob2u4rpV7UoJe6wfeVWcvMLaH4MopgUxVq473Hf6TknD8 BxcZfQgrOdQNBlx0LiIHyPldXumJMawT.UxOiCcda1kWwOc6DRE799IMIfIEibruPCi0MnfRq_3f GuBAk13iIyVOIECs2.I5UbaYi7SV3xwbeXVjQoc3PQAVtKbF7CEas4rw1um4BAP6MSMKAhGdQLT3 dsKFmHJqV1GeW0wdXVMaqW5jNUmzifstdV3sj535DeoSdMjG4VxORqeoTh9t0L2xIZHLOn_sYMJx zEg1ET7q8qsgSAPoYI_2konDOoXY.l3PMx12fP1i.h6GH_wj9vD8U9.2bnZMAGi84c5Jg24gW5Pw LwQ80e537urUo_lnS0ZfhENjVvqX4YhjIoE.jUTgsVzYPSQnuiWQPCMdIok6Y6aKxO4QvtIZX2j9 qzhpEQx0p6T..A8N8.imXh0RaWtQXALNh16xfX8ZnRxTgIWwPhjqz7F1DA9PJTy8iYLPluRtzixx LaSvKIcY_jZc.zDa3ELQKlupxa5m5k6cD4r4kQKBOPAFvVgRd3rQMZhUkhrEiwuL0drw.IuhLcqw Jxs2VfB53VeCnMTZ1PsQBICUOKKebXIXwLsneREQNSHZYGHjXvWbDJZ4DyX9NYbU.vJriqcWlNSR aA5_dY90ekoa6C7Ehy9OyDXwJ.2.v.HehVEET2a7D6qN02LNGuMqntsHo64KbPQ389VpzJ.kASe2 BC17lCed286DLIi85Mk5_8KQ3mU44spiRb.P92R5ZnKxuFEzhAMr6ZDYixy7BbysoN90D2HZuxOb .KD_73V3Q6POSueNP8fIN7KezqFv3TthpO.8BcNCiggbd4EkP4BjOyZ3qGO5ara4jCtFnXl5ozal O4nHyWC924p5qxsQycXDWcOhQL.rmV2XEZKyQwuhHSRGbpo1sv0X8LA5ub9L86f8.cb.ypB9UuA- -
Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.bf2.yahoo.com with HTTP; Wed, 3 Apr 2019 20:48:43 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp415.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID d02b6ee8df68cd41fc185a7532de8bd7; Wed, 03 Apr 2019 20:48:42 +0000 (UTC)
To: Hans Zandbelt <hans.zandbelt@zmartzone.eu>, Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>
Cc: IETF oauth WG <oauth@ietf.org>
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <B755AE4D-2D10-4380-AC12-4B7A8F53B812@gmail.com> <CAO7Ng+siADYHEhr8gryPZ_6c50uQ3XxDM5inAFwgG+Xa0bnwfg@mail.gmail.com> <CA+iA6uhHOSmiSG_vxvad_g2ufi57OS4TxdvoO20g+7vm7rNZiA@mail.gmail.com> <CAO7Ng+vGC5ByU1wZrbNWvaZ+QuDByhJ8huw8UXVxfOCWQpaH1w@mail.gmail.com> <CA+iA6ujkEMdHPMn7JQLts7OAusV3ieKKMon572vTACtFvTGnrA@mail.gmail.com> <CAO_FVe73L7B-_7gu1W0N-mqLXHQExef4QKDeaWHrUmJnCCxCRg@mail.gmail.com> <D610AAEA-892F-4AAD-915D-A0C068F5BFD3@gmail.com> <CAO7Ng+sqzw4O2vt+iCWegBWBGg+-oyqV1j8dF7ADK2TbPec_CQ@mail.gmail.com> <CAHsNOKewL9xCFt6SsP4dz+W0CN_NUZaGMJahF7mSgos_Xbnhhw@mail.gmail.com> <CAO_FVe7c6jLRJ8mD7gw=a6NY3oZcgCh_b5dR8uRXa6Q2c2gmGg@mail.gmail.com> <CA+iA6uje229zrAos3c1TCuJEM+2vmVifNQ2FnKDuj2T4ET2SYA@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <a34edf0e-012a-ecc9-e547-3cdc61dca5a4@aol.com>
Date: Wed, 03 Apr 2019 16:48:41 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CA+iA6uje229zrAos3c1TCuJEM+2vmVifNQ2FnKDuj2T4ET2SYA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------00269959D36A2B2110045E16"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/s8_4VC1d2AGvlXWfvQz5vXpgdiU>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2019 20:48:50 -0000

I agree that this will break a lot of existing flows... especially those 
using any form of the client_credentials flow. In that sense I'm not 
completely on board yet :)

On 3/26/19 12:56 PM, Hans Zandbelt wrote:
> great summary! this will hurt quite a few existing m2m deployments but 
> I do like the rigidness of it all: it is very explicit, cannot 
> misinterpreted and thus prevents failure (which is really what 
> Dominick is after); I'm on board
>
> Hans.
>
> On Tue, Mar 26, 2019 at 5:49 PM Vittorio Bertocci 
> <Vittorio=40auth0.com@dmarc.ietf.org 
> <mailto:40auth0.com@dmarc.ietf.org>> wrote:
>
>     thank you Steinar and everyone else for the comments on this!
>     To summarize the situation so far: Dominick, Steinar, Rob, David,
>     Nov, Bertrand recommend using sub only for users. Martin would
>     like to have the sub for app only flows as well. Hans is neutral.
>     That does sound like the sub as user has more consensus, tho
>     before changing it I'd wait for the people currently at IETF104 to
>     have more time to comment as well.
>     Clarification. If the goal is to be able to apply the logic "if
>     there's a sub, it's a user flow", we have to explicitly disallow
>     (MUST NOT) the use of sub when that's not the case. Are all OK
>     with it?
>
>     Dave, the suggestion of having explicit typing for app only vs
>     user only is interesting! For the purpose of putting together an
>     interoperable profile, tho, I would suggest we table it for v1 in
>     the interest of getting to something easy to adopt (hence with
>     small delta vs existing implementations) faster.
>
>     On Tue, Mar 26, 2019 at 1:40 AM Steinar Noem <steinar@udelt.no
>     <mailto:steinar@udelt.no>> wrote:
>
>         Hi Vittorio, we (the national federation-gateway for the
>         health services in norway - "HelseID")  think his is a really
>         valuable initiative!
>         We also agree with Dominick concerning definition of the "sub"
>         claim.
>
>         <mvh>Steinar</mvh>
>
>         tir. 26. mar. 2019 kl. 07:25 skrev Dominick Baier
>         <dbaier@leastprivilege.com <mailto:dbaier@leastprivilege.com>>:
>
>             From an access token consumer (aka API) developer point of
>             view, I prefer this logic
>
>             "If sub is present - client acts on behalf of a user, if
>             not - not."
>
>             Anything more complicated has a potential of going wrong.
>
>
>             On 26. March 2019 at 01:34:53, Nov Matake
>             (matake@gmail.com <mailto:matake@gmail.com>) wrote:
>
>>             Hi Vittorio,
>>
>>             Yeah, I’m concerning user & client ids collision.
>>             I haven’t seen such implementations, but user-select
>>             username as sub, or incremental integer as sub &
>>             client_id will be easily collide.
>>
>>             If you can enforce collision resistant IDs between user &
>>             client instances, it’ll works fine. I feel its overkill
>>             though.
>>
>>             Sent from my iPhone
>>
>>             On Mar 26, 2019, at 8:51, Vittorio Bertocci
>>             <Vittorio@auth0.com <mailto:Vittorio@auth0.com>> wrote:
>>
>>>             Hey Nov, Dominick, Hans-
>>>             thanks for the comments. That was an area I was
>>>             expecting to cause more discussion, and I am glad we are
>>>             having this opportunity to clarify.
>>>             The current language in the draft traces the etymology
>>>             of sub to OpenID Connect core, hence Dominick
>>>             observation is on point. However in the description I
>>>             express something in line with 7519, which was in fact
>>>             my intent.
>>>
>>>             The idea was to provide an identifier of the calling
>>>             subject that is guaranteed to be present in all cases-
>>>             this would allow an SDK developer to use the same code
>>>             for things like lookups and membership checks regardless
>>>             of the nature of the caller (user in a delegated case,
>>>             app in app-only grants). The information to discriminate
>>>             between user and app callers is always available in the
>>>             token (say, the caller is a user if sub!=client_id,
>>>             where client_id is always guaranteed to be present as
>>>             well) hence there's no loss in expressive power, should
>>>             that difference be relevant for the resource server.
>>>
>>>             Dominick, Hans- I probably missed the security issue you
>>>             guys are thinking of in this case. Of course, if this
>>>             would introduce a risk I completely agree it should be
>>>             changed- I'd just like to understand better the problem.
>>>             Could you expand it in a scenario/use case to clarify
>>>             the risk?
>>>             Nov- playing this back: is the concern that a user and a
>>>             client might have the same identifier within an IDP?
>>>             When using collision resistant IDs, as it is usually the
>>>             case, that seems to be a remote possibility- did you
>>>             stumble in such scenario in production?
>>>
>>>             Thanks
>>>             V.
>>>
>>>
>>>             On Mon, Mar 25, 2019 at 7:44 AM Hans Zandbelt
>>>             <hans.zandbelt@zmartzone.eu
>>>             <mailto:hans.zandbelt@zmartzone.eu>> wrote:
>>>
>>>                 I believe there are plenty of OAuth 2.0 only use
>>>                 cases out there... but nevertheless I agree with the
>>>                 potential confusion and thus security problems
>>>                 arising from that (though one may argue the
>>>                 semantics are the same).
>>>
>>>                 Hans.
>>>
>>>                 On Mon, Mar 25, 2019 at 3:39 PM Dominick Baier
>>>                 <dbaier@leastprivilege.com
>>>                 <mailto:dbaier@leastprivilege.com>> wrote:
>>>
>>>                     Yes I know - and I think in hindsight it was a
>>>                     mistake to use the same claim type for multiple
>>>                     semantics.
>>>
>>>                     All the “this is OIDC not OAuth” arguments are
>>>                     making things more complicated than they need to
>>>                     be - in my experience almost no-one (that I
>>>                     know) does OIDC only - nor OAuth only. They
>>>                     always combine it.
>>>
>>>                     In reality this leads to potential security
>>>                     problems - this spec has the potential to
>>>                     rectify the situation.
>>>
>>>                     Dominick
>>>
>>>                     On 25. March 2019 at 14:58:56, Hans Zandbelt
>>>                     (hans.zandbelt@zmartzone.eu
>>>                     <mailto:hans.zandbelt@zmartzone.eu>) wrote:
>>>
>>>>                     Without agreeing or disagreeing: OIDC does not
>>>>                     apply here since it is not OAuth and an access
>>>>                     token is not an id_token.
>>>>                     The JWT spec says in
>>>>                     https://tools.ietf.org/html/rfc7519#section-4.1.2:
>>>>
>>>>                     "The "sub" (subject) claim identifies the
>>>>                     principal that is the
>>>>                      subject of the JWT.  The claims in a JWT are
>>>>                     normally statements
>>>>                      about the subject.  The subject value MUST
>>>>                     either be scoped to be
>>>>                      locally unique in the context of the issuer or
>>>>                     be globally unique.
>>>>                      The processing of this claim is generally
>>>>                     application specific"
>>>>
>>>>                     which kind of spells "client" in case of the
>>>>                     client credentials grant but I also do worry
>>>>                     about Resource Servers thinking/acting only in
>>>>                     terms of users
>>>>
>>>>                     Hans.
>>>>
>>>>                     On Mon, Mar 25, 2019 at 2:41 PM Dominick Baier
>>>>                     <dbaier@leastprivilege.com
>>>>                     <mailto:dbaier@leastprivilege.com>> wrote:
>>>>
>>>>                         IMHO the sub claim should always refer to
>>>>                         the user - and nothing else.
>>>>
>>>>                         OIDC says:
>>>>
>>>>                         "Subject - Identifier for the End-User at
>>>>                         the Issuer."
>>>>
>>>>                         client_id should be used to identify clients.
>>>>
>>>>                         cheers
>>>>                         Dominick
>>>>
>>>>                         On 25.. March 2019 at 05:13:03, Nov Matake
>>>>                         (matake@gmail.com
>>>>                         <mailto:matake@gmail.com>) wrote:
>>>>
>>>>>                         Hi Vittorio,
>>>>>
>>>>>                         Thanks for the good starting point of
>>>>>                         standardizing JWT-ized AT.
>>>>>
>>>>>                         One feedback.
>>>>>                         The “sub” claim can include 2 types of
>>>>>                         identifier, end-user and client, in this spec.
>>>>>                         It requires those 2 types of identifiers
>>>>>                         to be unique each other in the IdP context.
>>>>>
>>>>>                         I prefer omitting “sub” claim in 2-legged
>>>>>                         context, so that no such constraint needed.
>>>>>
>>>>>                         thanks
>>>>>
>>>>>                         nov
>>>>>
>>>>>>                         On Mar 25, 2019, at 8:29, Vittorio
>>>>>>                         Bertocci
>>>>>>                         <vittorio.bertocci=40auth0.com@dmarc.ietf.org
>>>>>>                         <mailto:vittorio.bertocci=40auth0.com@dmarc.ietf.org>>
>>>>>>                         wrote:
>>>>>>
>>>>>>                         Dear all,
>>>>>>                         I just submitted a draft describing a JWT
>>>>>>                         profile for OAuth 2.0 access tokens. You
>>>>>>                         can find it in
>>>>>>                         https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/.
>>>>>>                         I have a slot to discuss this tomorrow at
>>>>>>                         IETF 104 (I'll be presenting remotely). I
>>>>>>                         look forward for your comments!
>>>>>>
>>>>>>                         Here's just a bit of backstory, in case
>>>>>>                         you are interested in how this doc came
>>>>>>                         to be. The trajectory it followed is
>>>>>>                         somewhat unusual.
>>>>>>
>>>>>>                           * Despite OAuth2 not requiring any
>>>>>>                             specific format for ATs, through the
>>>>>>                             years I have come across multiple
>>>>>>                             proprietary solution using JWT for
>>>>>>                             their access token. The intent and
>>>>>>                             scenarios addressed by those
>>>>>>                             solutions are mostly the same across
>>>>>>                             vendors, but the syntax and
>>>>>>                             interpretations in the
>>>>>>                             implementations are different enough
>>>>>>                             to prevent developers from reusing
>>>>>>                             code and skills when moving from
>>>>>>                             product to product.
>>>>>>                           * I asked several individuals from key
>>>>>>                             products and services to share with
>>>>>>                             me concrete examples of their JWT
>>>>>>                             access tokens (THANK YOU Dominick
>>>>>>                             Baier (IdentityServer), Brian
>>>>>>                             Campbell (PingIdentity), Daniel
>>>>>>                             Dobalian (Microsoft), Karl Guinness
>>>>>>                             (Okta) for the tokens and explanations!).
>>>>>>                             I studied and compared all those
>>>>>>                             instances, identifying commonalities
>>>>>>                             and differences.
>>>>>>                           * I put together a presentation
>>>>>>                             summarizing my findings and
>>>>>>                             suggesting a rough interoperable
>>>>>>                             profile (slides:
>>>>>>                             https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx
>>>>>>                             <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx>
>>>>>>                             ) - got early feedback from Filip
>>>>>>                             Skokan on it. Thx Filip!
>>>>>>                           * The presentation was followed up by
>>>>>>                             1.5 hours of unconference discussion,
>>>>>>                             which was incredibly valuable to get
>>>>>>                             tight-loop feedback and incorporate
>>>>>>                             new ideas. John Bradley, Brian
>>>>>>                             Campbell Vladimir Dzhuvinov, Torsten
>>>>>>                             Lodderstedt, Nat Sakimura, Hannes
>>>>>>                             Tschofenig were all there and
>>>>>>                             contributed generously to the
>>>>>>                             discussion. Thank you!!!
>>>>>>                             Note: if you were at OSW2019,
>>>>>>                             participated in the discussion and
>>>>>>                             didn't get credited in the draft, my
>>>>>>                             apologies: please send me a note and
>>>>>>                             I'll make things right at the next
>>>>>>                             update.
>>>>>>                           * On my flight back I did my best to
>>>>>>                             incorporate all the ideas and
>>>>>>                             feedback in a draft, which will be
>>>>>>                             discussed at IETF104 tomorrow.
>>>>>>                             Rifaat, Hannes and above all Brian
>>>>>>                             were all super helpful in negotiating
>>>>>>                             the mysterious syntax of the RFC
>>>>>>                             format and submission process.
>>>>>>
>>>>>>                         I was blown away by the availability,
>>>>>>                         involvement and willingness to invest
>>>>>>                         time to get things right that everyone
>>>>>>                         demonstrated in the process. This is an
>>>>>>                         amazing community.
>>>>>>                         V.
>>>>>>                         _______________________________________________
>>>>>>                         OAuth mailing list
>>>>>>                         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>                         https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>                         _______________________________________________
>>>>>                         OAuth mailing list
>>>>>                         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>                         https://www.ietf.org/mailman/listinfo/oauth
>>>>                         _______________________________________________
>>>>                         OAuth mailing list
>>>>                         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>                         https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>>
>>>>                     --
>>>>                     hans.zandbelt@zmartzone.eu
>>>>                     <mailto:hans.zandbelt@zmartzone.eu>
>>>>                     ZmartZone IAM - www.zmartzone.eu
>>>>                     <http://www.zmartzone.eu>
>>>
>>>
>>>
>>>                 --
>>>                 hans.zandbelt@zmartzone.eu
>>>                 <mailto:hans.zandbelt@zmartzone.eu>
>>>                 ZmartZone IAM - www.zmartzone.eu
>>>                 <http://www.zmartzone.eu>
>>>
>             _______________________________________________
>             OAuth mailing list
>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>             https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>         -- 
>         Vennlig hilsen
>
>         Steinar Noem
>         Partner Udelt AS
>         Systemutvikler
>         | steinar@udelt.no <mailto:steinar@udelt..no> | hei@udelt.no
>         <mailto:hei@udelt.no>  | +47 955 21 620 | www.udelt.no
>         <http://www.udelt.no/> |
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> -- 
> hans.zandbelt@zmartzone.eu <mailto:hans.zandbelt@zmartzone.eu>
> ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email