Re: [OAUTH-WG] Token Binding & implicit
Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 20 November 2018 19:36 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6DA712F295 for <oauth@ietfa.amsl.com>; Tue, 20 Nov 2018 11:36:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 57VAlzSl1PIV for <oauth@ietfa.amsl.com>; Tue, 20 Nov 2018 11:36:43 -0800 (PST)
Received: from smtprelay07.ispgateway.de (smtprelay07.ispgateway.de [134.119.228.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 919C812785F for <oauth@ietf.org>; Tue, 20 Nov 2018 11:36:43 -0800 (PST)
Received: from [91.13.153.47] (helo=[192.168.71.123]) by smtprelay07.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <torsten@lodderstedt.net>) id 1gPBpA-0006yR-O1; Tue, 20 Nov 2018 20:36:40 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <D27C76F4-617B-4E25-A477-08F2DE22C9ED@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_201B2D9F-435B-4EA0-BAC7-B08E54EE90FE"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Date: Tue, 20 Nov 2018 20:36:39 +0100
In-Reply-To: <CA+k3eCSfeoWUfdoBgtHuewNcmz8jbXZm0-ScpVXzF1ThSLnRHA@mail.gmail.com>
Cc: oauth <oauth@ietf.org>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
References: <CA+k3eCSfeoWUfdoBgtHuewNcmz8jbXZm0-ScpVXzF1ThSLnRHA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.101.1)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/v1r05ZTplWvcQrgySU0HsxQ7Y58>
Subject: Re: [OAUTH-WG] Token Binding & implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2018 19:36:46 -0000
I opt for (4) - Remove support/description of binding of access tokens issued from the authorization endpoint I think the potential solution we worked out (slide 6) is to complex and the security implications of the redirect via the resource servers are still unclear. > Am 18.11.2018 um 13:32 schrieb Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>: > > During the first OAuth session in Bangkok the question "what to do about token binding & implicit?" was raised. There was some discussion but session time was limited and we had to move on before any real consensus was reached. > > So I thought I'd bring the question to the WG list to generate some more discussion on the issue. It's also related, at least in part, to a couple of the other ongoing threads on the list about browser based apps and security practices. > > The slides from the session are linked below. Slides 5 & 6 try and explain the awkwardness of doing Token Binding with implicit. While slide 7 lays out some (not very good) options for how to proceed. > https://datatracker.ietf.org/meeting/103/materials/slides-103-oauth-sessb-draft-ietf-oauth-token-binding-00 > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Token Binding & implicit Brian Campbell
- Re: [OAUTH-WG] Token Binding & implicit Torsten Lodderstedt
- Re: [OAUTH-WG] Token Binding & implicit Aaron Parecki