IETF Logo Mail Archive

Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Security Best Current Practice?

Philippe De Ryck <philippe@pragmaticwebsecurity.com> Tue, 07 November 2023 06:41 UTC

Return-Path: <philippe@pragmaticwebsecurity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4C0AC1E4E48 for <oauth@ietfa.amsl.com>; Mon, 6 Nov 2023 22:41:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.804
X-Spam-Level:
X-Spam-Status: No, score=-2.804 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pragmaticwebsecurity.com header.b="ILH0QtYI"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="cGJ+C/Ti"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8gsPoOCF8Phe for <oauth@ietfa.amsl.com>; Mon, 6 Nov 2023 22:41:17 -0800 (PST)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6983C1E4E43 for <oauth@ietf.org>; Mon, 6 Nov 2023 22:41:16 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 56EF532009BD; Tue, 7 Nov 2023 01:41:13 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Tue, 07 Nov 2023 01:41:13 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= pragmaticwebsecurity.com; h=cc:cc:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to; s=fm3; t= 1699339272; x=1699425672; bh=Y68y1t3fl/Ou0sWECIWyq6XUBUj55XjSyCB MDGidlsQ=; b=ILH0QtYI2ptxuSZs7W9f0RjZy9M+CrjXDl5tBlnGNbusPFU9zXt biysMlEfTUZxEPw19Jdmh2cEoyDwEedkdfIiPX1cY5VpzJ1U80LBNo0Gs4WNsf2U bkoKr7mSGPx6F2W0ygY042+/RJhFvyKvg8YvIGFNljKESxYz1RtGeUsN7DnX7THZ Qa76pVeS9/lx0iIFsirMMnEUPKngFsHE9+KfmABzojKSnNTcn1qHbEBxlwBsyMZ4 lylQHtrjZzhNhrn1qwKGzvuPnfQSdDntSkOa+Wuf4F4WJGubtht0Nin36TVikzMg JAU8TZmiXTttMJYEpFt/hszExGWC/I4wrpA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; t=1699339272; x=1699425672; bh=Y68y1t3fl/Ou0 sWECIWyq6XUBUj55XjSyCBMDGidlsQ=; b=cGJ+C/TidTKLyB/jQ2psruadSTCap g/HJ8gecSg23ByAzYvP4s2lf0tFrHEUT4hItUWCPGXNxEejgVjq9kOy1mVgjgS7P AhBS7lhjBHJB1IXi9cuQ1outbjJk/imwoypzfKCSvU9lr7igBMfTOqbqBESWYWFn mewXIYOY5ux/J75fBTVGNPPFOT02rwlvBWagJRLUhw1oacJbOo8ztjQscx+VowOY 2Gb6qQrf6ShM5ascmnEqBQcaTdsLAI7Ofb5etuNRlBrPHmIU+F+89/h1zxZIMTY3 fuCVpYgrhplIXahwb0SRsw1APOYLQtIbkbnjrUNZTwsZf4BQOe9Plaaqw==
X-ME-Sender: <xms:CNxJZV0UIAfu9YiJadChrI5wJGpK65NSYBLH1al1SC9qvL2ySg93wQ> <xme:CNxJZcFVpo6ZmWIjf9AMUrKxcNMIH0npf1djrMReR056_g2FzKVowbQuTVN7OZepF PByHUvt6pBZUEcBOA>
X-ME-Received: <xmr:CNxJZV5BKpGuorFVtuzmP8kZB7VQ77X5huVkhImQaqzJJ25VyTYjaUP_QEoARJeKl9QiVg6oYnpsvtx-xpBW0jqyKHqZLJc>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrudduhedgleehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne goufhushhpvggtthffohhmrghinhculdegledmnecujfgurhephffktgggufffjgevvfhf ofesrgdtmherhhdtjeenucfhrhhomheprfhhihhlihhpphgvucffvgcutfihtghkuceoph hhihhlihhpphgvsehprhgrghhmrghtihgtfigvsghsvggtuhhrihhthidrtghomheqnecu ggftrfgrthhtvghrnheptdejgfehjedvheelledutddtgfeliefgkeegheffffekffefle fffffgffdvgedtnecuffhomhgrihhnpeiffedrohhrghdprghuthhhtddrtghomhdpphhr rghgmhgrthhitgifvggsshgvtghurhhithihrdgtohhmpdhgihhthhhusgdrihhopdhivg htfhdrohhrghdphhhtthhphhgvrgguvghrshdrmhihnecuvehluhhsthgvrhfuihiivgep tdenucfrrghrrghmpehmrghilhhfrhhomhepphhhihhlihhpphgvsehprhgrghhmrghtih gtfigvsghsvggtuhhrihhthidrtghomh
X-ME-Proxy: <xmx:CNxJZS21Q9G3_40Xsp_JR7_KEV4ZopkV-YLMkW8LtRuoyfSB1pxmLA> <xmx:CNxJZYFWWjY01aDdAsfoKZ4nEcekoX6e2ZZcaND4AeqFhL65I3ry4Q> <xmx:CNxJZT9XAWzY_43zUNhv2iNb8kJMQkUkIyl1tjEcrV7aVXZtWRFpxA> <xmx:CNxJZcDFH2TZn4SbXWBxwJbL5kG27me7z0XllyaT9vzuGfhYmBObag>
Feedback-ID: i21e1449f:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 7 Nov 2023 01:41:11 -0500 (EST)
From: Philippe De Ryck <philippe@pragmaticwebsecurity.com>
Message-Id: <5B1AB1E6-17A3-4F7A-B476-97F6FF04B5EF@pragmaticwebsecurity.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CCBA15E4-263D-47FF-8382-1EBDC68EBD80"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.15\))
Date: Tue, 07 Nov 2023 07:41:09 +0100
In-Reply-To: <CAD9ie-uoBYL_PNrkR-1QzFPhdatnaGMv2WT4hH21JUE+f5+CcA@mail.gmail.com>
Cc: Giuseppe De Marco <demarcog83@gmail.com>, Daniel Fett <fett=40danielfett.de@dmarc.ietf.org>, Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org>, oauth@ietf.org
To: Dick.Hardt@gmail.com
References: <CAD9ie-sh0qnGzg5VwU_enq2Br9hH5zgm86z9i7vdMj_uQs=4yA@mail.gmail.com> <CAGBSGjrMDrXMd2ApKmLn_LVgMSLME-wvHqPCTpzgDxk5_+kRSA@mail.gmail.com> <f6383d62-9586-49c9-a824-9d92288ee4bd@danielfett.de> <CAGBSGjqe2HjJuh6OgJy5VU+w8HRyu159uJtMnmXS+LPWg_LphA@mail.gmail.com> <CAD9ie-sfrzEMvS8yk49XSNfvwRbcj1tPKfmNxC97VAF4pRqcfg@mail.gmail.com> <C3E1A2E4-AFE0-4C85-8F53-0C1C0154107A@gmail.com> <CAP_qYyktwsB_d0pqhMacM3Ma+wMUdDdKT56EMv6LY2xKndRVQA@mail.gmail.com> <CAD9ie-tEhWrEKeByEFx+Tvfk6_LTwzDfAZy9gq_dib2zfqz7tQ@mail.gmail.com> <D3DF8002-B819-4E60-AF46-71D4F47822AE@pragmaticwebsecurity.com> <CAD9ie-t_PKaDzcuM-vH1fy1=UEhakV6Mti1VA-kchNUcybwUjg@mail.gmail.com> <94209AAD-30F4-41C3-8056-BE4E9AEA1731@pragmaticwebsecurity.com> <CAD9ie-uoBYL_PNrkR-1QzFPhdatnaGMv2WT4hH21JUE+f5+CcA@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.120.0.1.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yBAFs51MgqOhbHAKoDvWTZBlGzs>
Subject: Re: [OAUTH-WG] Cookies & headers in OAuth 2.0 Security Best Current Practice?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2023 06:41:21 -0000

Answers inline to add the proper nuance. 

> Would you not agree that a "good" CSP config is a good line of defense against XSS attacks?

A good CSP policy can indeed help to stop the exploitation of an XSS vulnerability, should one exist in the application. I do not agree with the wording “a good line of defense”, as it can imply that a good CSP policy can be used as the only defense. XSS vulnerabilities are first and foremost avoided by adopting secure coding guidelines. CSP acts as a second line of defense, in case an XSS vulnerability still slips through. 


> I agree that the OAuth BCP should not provide details on CSP config. I do think we should call out having a considered CSP config is a best practice.
> 
> I differentiate between headers and cookies and SQL injection etc. in that the headers and cookies are part of the HTTP requests, which is the protocol OAuth is built on, so weaknesses there weaken the protocol. 

Just because CSP can be configured as a header (CSP can also be set with a <meta> tag) does not make it part of the protocol OAuth is built on. CSP is 100% an application-level feature. And as useful as CSP can be, I would not consider “not having CSP” as a protocol weakness.

I’m not strongly against mentioning CSP, I’m just wondering how much good it does given the complexity of configuring CSP correctly. It suffices to include a CDN that hosts a version of AngularJS 1.x to have a bypassable (and thereby mostly useless) CSP policy. 
 
Philippe


> 
> On Mon, Nov 6, 2023 at 11:25 AM Philippe De Ryck <philippe@pragmaticwebsecurity.com <mailto:philippe@pragmaticwebsecurity.com>> wrote:
> I went back to the Security BCP and combed through the fine details, and there is indeed some guidance on CSP. But your initial remark that this is "vague" is definitely true, and this section is actually a good illustration of what I was trying to say. Let me unpack the details a bit …
> 
> In section 4.16, the security BCP talks about how to restrict framing to avoid clickjacking/UI redressing attacks. Defending against such attacks cannot be done with secure coding, but must be done with specific framing restrictions. The best mechanism to achieve this is by setting security headers: the legacy X-Frame-Options header or the more modern CSP frame-ancestors directive. Given that this security requirement is closely linked to OAuth and is not something that “happens naturally”, but must be explicitly added, I totally agree that this should be part of the security BCP. 
> 
> Now, in paragraph 5 of the section, things get somewhat confusing (included below for reference). So far, every mention of "CSP" was used as a synonym for the "frame-ancestors" directive to restrict framing. However, all the way at the end of that paragraph, the text suddenly recommends using the "script-src" directive to restrict sources of JS that can execute on the page. The paragraph then points to a sample header, with the configuration of "script-src 'self'". 
> 
> Using CSP allows authorization servers to specify multiple origins in a single response header field and to constrain these using flexible patterns (see [W3C.CSP-2 <https://www.w3.org/TR/CSP2>] for details). Level 2 of this standard provides a robust mechanism for protecting against clickjacking by using policies that restrict the origin of frames (using frame-ancestors) together with those that restrict the sources of scripts allowed to execute on an HTML page (by using script-src).
> 
> Unfortunately, this advice is too simplistic to be useful, as it prevents the loading of JS from any other origin, including CDNs, or third-party services. Additionally, it violates modern best practices for CSP, which recommend the use of hashes, nonces, and trust propagation (with nonce propagation or 'strict-dynamic'). If you’re interested in the details, I’ve done a few guest blog posts about CSP for Auth0 that cover this: https://auth0.com/blog/authors/philippe-de-rick/ <https://auth0.com/blog/authors/philippe-de-rick/>
> 
> 
> What I'm trying to say here is that a detailed CSP config (apart from the "frame-ancestors" directive) is not essential for a secure OAuth implementation or deployment. It can and should act as a second line of defense against content injection attacks, but not having such a CSP config does not automatically create a vulnerability. Therefore, my recommendation is to focus on the details directly relevant to OAuth security.
> 
> For security guidelines for configuring cookies, I believe this would be more directly related and more useful, as I mentioned before.
> 
> Finally, I can totally see that the community could benefit from more in-depth security best practices that go beyond OAuth-specific risks. Apart from CSP, there's a whole bunch more response headers that can be configured (as you and others have mentioned). On top of that, modern browsers send a lot of metadata in a request (e.g., the Sec-Fetch Metadata headers) that could be used by the AS to reject illegitimate requests. However, given the rapid development of these features and lack of widespread support, I would envision such recommendations to live in a more "dynamic" document than an RFC.
> 
> Philippe
> 
> —
> Pragmatic Web Security
> Security for developers
> https://pragmaticwebsecurity.com <https://pragmaticwebsecurity.com/>
> 
>> On 6 Nov 2023, at 18:07, Dick Hardt <dick.hardt@gmail.com <mailto:dick.hardt@gmail.com>> wrote:
>> 
>> That's a surprising response Philippe. The BCP already has Content-Security-Policy and Referrer-Policy headers recommendations. The core of my feedback is to add Cookie and Header best practices to Section 2, and point to one or more living documents. 
>> 
>> On Mon, Nov 6, 2023 at 8:45 AM Philippe De Ryck <philippe@pragmaticwebsecurity.com <mailto:philippe@pragmaticwebsecurity.com>> wrote:
>> While I understand the idea of pointing to additional security resources, I’m not sure if it is the role of the security BCP (or other specs) to take on the responsibility to address these issues. In my point of view, the security BCP should focus on OAuth aspects, and discuss security topics that are directly relevant to that purpose. 
>> 
>> Concretely for the security mechanisms discussed here, I can see how cookie configurations could be relevant (the session with the AS is inherent to OAuth), but I don’t see defenses such as CSP as relevant in that scope. If these are in scope, should we then also provide advice or pointers on avoiding server-side implementation vulnerabilities, such as SQL injection or SSRF?
>> 
>> Additionally, many of these security mechanisms are quite complex and non-trivial to deploy. For example, adding a generic pointer stating “you should add CSP” does not say much, as CSP can control more than a dozen features. 
>> 
>> To summarize, I would keep the scope of these specs as narrow as possible and avoid aiming to address security concerns that are beyond the realm of OAuth.
>> 
>> Philippe
>> 
>> —
>> Pragmatic Web Security
>> Security for developers
>> https://pragmaticwebsecurity.com <https://pragmaticwebsecurity.com/>
>> 
>>> On 6 Nov 2023, at 15:39, Dick Hardt <dick.hardt@gmail.com <mailto:dick.hardt@gmail.com>> wrote:
>>> 
>>> +1 to referring to calling out that cookies / headers should follow best security practice, and pointing to living documents
>>> 
>>> On Mon, Nov 6, 2023 at 6:21 AM Giuseppe De Marco <demarcog83@gmail.com <mailto:demarcog83@gmail.com>> wrote:
>>> Hi,
>>> 
>>> everytime I have implemented SAML2, OAuth 2.0, OpenID Connect, for different projects and orgs, I have included secured web cookie in the recipe.
>>> For the implementation profile of OpenID4VP I did the same, where the secured and httponly cookie is used an in particular as a basic security requirement for the cross device flow [1].
>>> 
>>> Even if I got perfectly Daniel's and Aaron's editorial strategy and I agree, I think that Dick's proposal and your confirmation on that, Neil, is something to take into account to bring developers awareness during the implementation phases.
>>> A ref to living OWASP specs surrounded by a generic refs to the user agent security, even if out of scope, I think that should be in the specs.
>>> 
>>> [1] https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html#remote-protocol-flow <https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html#remote-protocol-flow>
>>> Il giorno lun 6 nov 2023 alle ore 15:11 Neil Madden <neil.e.madden@gmail.com <mailto:neil.e.madden@gmail.com>> ha scritto:
>>> Although I think we could add some basic advice, the list of security headers to use is still evolving. For example, there were several headers added after Spectre to limit cross-site interactions. And then there’s things like the “X-XSS-Protection” header, which was best practice to add to responses not too long ago but has now been universally removed from browsers as it enabled certain content disclosure attacks.
>>> 
>>> Cookie security attributes are perhaps a bit more stable, but in general we probably just want to point people at “living” guidance like OWASP.
>>> 
>>> — Neil
>>> 
>>>> On 5 Nov 2023, at 19:28, Dick Hardt <dick.hardt@gmail.com <mailto:dick.hardt@gmail.com>> wrote:
>>>> 
>>>> The cookie and header recommendations I am thinking of would be for the AS as well as the client. 
>>>> 
>>>> A number of XSS attacks can be thwarted by a modern browser and the right HTTP headers.
>>>> 
>>>> My question is: Did the authors consider adding cookie and header recommendations, and decided it was too general? 
>>>> 
>>>> Cookie and header best security practices have been around for years -- I'm not suggesting we make anything up -- I'm suggesting we raise awareness. 
>>>> 
>>>> I consider myself to be fairly security aware, and I was not aware of some of the HTTP headers that are best security practice. 
>>>> 
>>>> /Dick
>>>> 
>>>> 
>>>> On Sun, Nov 5, 2023 at 11:19 AM Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org <mailto:40parecki.com@dmarc.ietf.org>> wrote:
>>>> I don't think it's necessary to say "do the right things with cookies" in the Security BCP. The Browser Apps BCP has a much deeper discussion of how different browser-based architectures work with cookies so that seems like a better place to actually have a real discussion about it.
>>>> 
>>>> Also +1 to what Daniel said about not continuing to add little things. Plus I think it's too late anyway, publication has already been requested for the Security BCP.
>>>> 
>>>> Aaron
>>>> 
>>>> On Sun, Nov 5, 2023 at 11:14 AM Daniel Fett <fett=40danielfett.de@dmarc.ietf.org <mailto:40danielfett.de@dmarc.ietf.org>> wrote:
>>>> I agree with Aaron! 
>>>> 
>>>> Also we should be very careful about any additions to the Security BCP at this point. It is very easy to re-start the "one more thing" loop we've been stuck in for the last years. There may be more useful things to say, but we should put them on the list for a future second version of the BCP.
>>>> 
>>>> -Daniel
>>>> 
>>>> Am 05.11.23 um 20:03 schrieb Aaron Parecki:
>>>>> I don't think the Security BCP should incorporate cookie best practices directly in the document. If anything, it sounds like possibly a candidate for inclusion in the Browser Apps BCP. 
>>>>> 
>>>>> There are already some mentions of these cookie properties mentioned in the Browser Apps BCP, though only in reference to specific architectures, not as a general best practice. For example:
>>>>> 
>>>>> https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html#pattern-bff-cookie-security <https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html#pattern-bff-cookie-security>
>>>>> 
>>>>> Aaron
>>>>> 
>>>>> On Sun, Nov 5, 2023 at 10:48 AM Dick Hardt <dick.hardt@gmail.com <mailto:dick.hardt@gmail.com>> wrote:
>>>>> Hey
>>>>> 
>>>>> I was reviewing security on some sites I managed and checked to see if the recommendations were in the BCP.
>>>>> 
>>>>> I don't see anything around cookies such as httpOnly, sameSite, secure. 
>>>>> 
>>>>> I saw some HTTP security header suggestions buried in 4.16 (X-Frame-Options, CSP), but not for Strict-Transport-Security, Permissions-Policy, or X-Content-Type-Options, and the CSP guidance is rather vague.
>>>>> 
>>>>> I understand these are general web security best practices, and perhaps I missed it, but I think it would be useful to call out that best security practices around cookies and headers should also be followed in Section 2, and either have the best practices included, or direct the reader where to find them.
>>>>> 
>>>>> /Dick
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>

v2.23.0 | Report a Bug | By Email