Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
Hans Zandbelt <hans.zandbelt@zmartzone.eu> Thu, 04 April 2019 19:59 UTC
Return-Path: <hans.zandbelt@zmartzone.eu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5D441201D4 for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 12:59:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zmartzone-eu.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f0WxrRBV3zFZ for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 12:59:05 -0700 (PDT)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 902761201B3 for <oauth@ietf.org>; Thu, 4 Apr 2019 12:59:05 -0700 (PDT)
Received: by mail-qt1-x82d.google.com with SMTP id w5so4742621qtb.11 for <oauth@ietf.org>; Thu, 04 Apr 2019 12:59:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zmartzone-eu.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=c2yXs5/kVHrc2NXzGT5CliD0jv4FSD5X8u4eQMWL/oI=; b=zIhh2rD7yTfvDUwCecSZ/UDyz9O/eXksRStwp7E2SKiFa0LrPshCYYb2DUNsuUxUW9 wopctbm4VLwTkNcb/UIMZp9Q5p16nh5qRVoStmS0Ns82x/PNeqzpZ9trTqBcANAZxLoE 8BgqQhHNK9Ofaw1HS3+bGSmf2sAyQ+6cF988550O+kJCmTHgzU4neEGUgmz7z4FnzW3d YTSJ6HtdXq/yNq17aoGlezmT98SrazX/3jbBCgHbLox7Y2cfiviR8QGrHyAP1SrO7i5n /WmksMq0DJFcfuWZLcEDYbPb8F7U8EUTtIX77jCnepRhl07mr9IaJQtrW8zqkFbzC5/Y Qa8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=c2yXs5/kVHrc2NXzGT5CliD0jv4FSD5X8u4eQMWL/oI=; b=MTAcpyQTyaBfAfmlv/xh48YylADo2g49pLx72Irwe39Jn/9dlbNClsrOGbmVU3/zgp G7YCz7jv732e708ixcozsJGrG/9BRRdDRaD+heOxUN6Vg28Pg/j06Fng0T04Uhv1Ljo6 bG7B9qCJ/aD+UwVci90nhoJFnllTX4iWMnSFNUhdFg+ymcKi9P8YocDlGRsn1D8c5cek HYWN9wkzeR/Vf3t+TP8CLmDXyLOwHG7Mc3FZFhVOnvDQoXF2gddMOYcWnU3IMP/MYK5/ KsYLo9duVOWbX3rG1yRa/rJxpKAzHVc016LTARhZ6T7DWW3fl/4KtbxEm6VAJWe1aiH3 G+rw==
X-Gm-Message-State: APjAAAVowOQXkA4cQivBnHgloYR1pmk4mJMYxGf2JffSBsqp9repMmiX ol8V9sGOuoXo8z4WCNw/ANGMbE0C2XveShlIXOedcA==
X-Google-Smtp-Source: APXvYqynXpNUx+yP/af4dTer7dXRhdmOct9Owkavdznb+zAE+WLz2YCCo01Qwda+FxTiJYvKfQjCeWn/WobtvoascyI=
X-Received: by 2002:aed:3766:: with SMTP id i93mr7125520qtb.227.1554407944419; Thu, 04 Apr 2019 12:59:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <B755AE4D-2D10-4380-AC12-4B7A8F53B812@gmail.com> <CAO7Ng+siADYHEhr8gryPZ_6c50uQ3XxDM5inAFwgG+Xa0bnwfg@mail.gmail.com> <CA+iA6uhHOSmiSG_vxvad_g2ufi57OS4TxdvoO20g+7vm7rNZiA@mail.gmail.com> <CAO7Ng+vGC5ByU1wZrbNWvaZ+QuDByhJ8huw8UXVxfOCWQpaH1w@mail.gmail.com> <CA+iA6ujkEMdHPMn7JQLts7OAusV3ieKKMon572vTACtFvTGnrA@mail.gmail.com> <CAO_FVe73L7B-_7gu1W0N-mqLXHQExef4QKDeaWHrUmJnCCxCRg@mail.gmail.com> <D610AAEA-892F-4AAD-915D-A0C068F5BFD3@gmail.com> <CAO7Ng+sqzw4O2vt+iCWegBWBGg+-oyqV1j8dF7ADK2TbPec_CQ@mail.gmail.com> <CAHsNOKewL9xCFt6SsP4dz+W0CN_NUZaGMJahF7mSgos_Xbnhhw@mail.gmail.com> <CAO_FVe7c6jLRJ8mD7gw=a6NY3oZcgCh_b5dR8uRXa6Q2c2gmGg@mail.gmail.com> <CA+iA6uje229zrAos3c1TCuJEM+2vmVifNQ2FnKDuj2T4ET2SYA@mail.gmail.com> <a34edf0e-012a-ecc9-e547-3cdc61dca5a4@aol.com> <CA+iA6uh6Q901wEaqGSK7An0z0_iJTjCfvPVN44Qwpb=M_rDONg@mail.gmail.com> <239f40ab-da4d-03fe-4524-0b21a0bcc63e@aol.com> <SN6PR00MB0304BC3C7D438F8A5715B36DF5500@SN6PR00MB0304.namprd00.prod.outlook.com>
In-Reply-To: <SN6PR00MB0304BC3C7D438F8A5715B36DF5500@SN6PR00MB0304.namprd00.prod.outlook.com>
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Thu, 04 Apr 2019 21:58:51 +0200
Message-ID: <CA+iA6ugr+xPfeTFXK2gGBFX8Yw+zGArGfav=Ci5A3qNYUqB7rw@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: George Fletcher <gffletch=40aol.com@dmarc.ietf.org>, Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005d14fc0585b9cdd2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yw3nTHZSKN8gmwvsc5tvW-CX2_0>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 19:59:11 -0000
the definition of RFC 7519 is actually "petitio principii" and a lot of deployments put claims about the Resource Owner in the access token (as a Resource Server implementer I've suffered a lot from this) Hans. On Thu, Apr 4, 2019 at 9:48 PM Mike Jones <Michael.Jones@microsoft.com> wrote: > I agree with George that the subject of a token must be the principal of > that token. That what the JWT “sub” claim is for. Indeed, the first > sentence of the “sub” definition at > https://tools.ietf.org/html/rfc7519#section-4.1.2 is: > > The "sub" (subject) claim identifies the principal that is the subject of > the JWT. > > > > If an access token uses “sub”, its usage must comply with the definition > from RFC 7519. > > > > -- Mike > > > > *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *George Fletcher > *Sent:* Thursday, April 4, 2019 8:51 AM > *To:* Hans Zandbelt <hans.zandbelt@zmartzone.eu> > *Cc:* Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>; IETF oauth > WG <oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00 > > > > The more I think about this the more I land in the "No" camp. > > The subject of a token should be the principal of that token. It shouldn't > matter whether that is a machine, a user, or a device. Trying to separate > out "humans" as a special class will just make things more complicated. If > we need a claim to identify the subject is a "human" then why not just add > that. This doesn't break anything and makes it easy for people to detect > this case in those use cases where it's required. > > Thanks, > George > > On 4/3/19 4:56 PM, Hans Zandbelt wrote: > > I will argue that in a way such deployments are already broken e.g. in the > typical use case of onboarding client accounts in the same > directory/OU/namespace as user accounts and we don't need to cater for > that. > > > > Hans. > > > > On Wed, Apr 3, 2019 at 10:48 PM George Fletcher <gffletch@aol.com> wrote: > > I agree that this will break a lot of existing flows... especially those > using any form of the client_credentials flow. In that sense I'm not > completely on board yet :) > > On 3/26/19 12:56 PM, Hans Zandbelt wrote: > > great summary! this will hurt quite a few existing m2m deployments but I > do like the rigidness of it all: it is very explicit, cannot misinterpreted > and thus prevents failure (which is really what Dominick is after); I'm on > board > > > > Hans. > > > > On Tue, Mar 26, 2019 at 5:49 PM Vittorio Bertocci <Vittorio= > 40auth0.com@dmarc.ietf.org> wrote: > > thank you Steinar and everyone else for the comments on this! > > To summarize the situation so far: Dominick, Steinar, Rob, David, Nov, > Bertrand recommend using sub only for users. Martin would like to have the > sub for app only flows as well. Hans is neutral. > > That does sound like the sub as user has more consensus, tho before > changing it I'd wait for the people currently at IETF104 to have more time > to comment as well. > > Clarification. If the goal is to be able to apply the logic "if there's a > sub, it's a user flow", we have to explicitly disallow (MUST NOT) the use > of sub when that's not the case. Are all OK with it? > > > > Dave, the suggestion of having explicit typing for app only vs user only > is interesting! For the purpose of putting together an interoperable > profile, tho, I would suggest we table it for v1 in the interest of getting > to something easy to adopt (hence with small delta vs existing > implementations) faster. > > > > On Tue, Mar 26, 2019 at 1:40 AM Steinar Noem <steinar@udelt.no> wrote: > > Hi Vittorio, we (the national federation-gateway for the health services > in norway - "HelseID") think his is a really valuable initiative! > > We also agree with Dominick concerning definition of the "sub" claim. > > > > <mvh>Steinar</mvh> > > > > tir. 26. mar. 2019 kl. 07:25 skrev Dominick Baier < > dbaier@leastprivilege.com>: > > From an access token consumer (aka API) developer point of view, I prefer > this logic > > > > "If sub is present - client acts on behalf of a user, if not - not." > > > > Anything more complicated has a potential of going wrong. > > > > On 26. March 2019 at 01:34:53, Nov Matake (matake@gmail.com) wrote: > > Hi Vittorio, > > > > Yeah, I’m concerning user & client ids collision. > > I haven’t seen such implementations, but user-select username as sub, or > incremental integer as sub & client_id will be easily collide. > > > > If you can enforce collision resistant IDs between user & client > instances, it’ll works fine. I feel its overkill though. > > > > Sent from my iPhone > > > On Mar 26, 2019, at 8:51, Vittorio Bertocci <Vittorio@auth0.com> wrote: > > Hey Nov, Dominick, Hans- > > thanks for the comments. That was an area I was expecting to cause more > discussion, and I am glad we are having this opportunity to clarify. > > The current language in the draft traces the etymology of sub to OpenID > Connect core, hence Dominick observation is on point. However in the > description I express something in line with 7519, which was in fact my > intent. > > > > The idea was to provide an identifier of the calling subject that is > guaranteed to be present in all cases- this would allow an SDK developer to > use the same code for things like lookups and membership checks regardless > of the nature of the caller (user in a delegated case, app in app-only > grants). The information to discriminate between user and app callers is > always available in the token (say, the caller is a user if sub!=client_id, > where client_id is always guaranteed to be present as well) hence there's > no loss in expressive power, should that difference be relevant for the > resource server. > > > > Dominick, Hans- I probably missed the security issue you guys are thinking > of in this case. Of course, if this would introduce a risk I completely > agree it should be changed- I'd just like to understand better the problem. > Could you expand it in a scenario/use case to clarify the risk? > > Nov- playing this back: is the concern that a user and a client might have > the same identifier within an IDP? When using collision resistant IDs, as > it is usually the case, that seems to be a remote possibility- did you > stumble in such scenario in production? > > > > Thanks > > V. > > > > > > On Mon, Mar 25, 2019 at 7:44 AM Hans Zandbelt <hans.zandbelt@zmartzone.eu> > wrote: > > I believe there are plenty of OAuth 2.0 only use cases out there... but > nevertheless I agree with the potential confusion and thus security > problems arising from that (though one may argue the semantics are the > same). > > > > Hans. > > > > On Mon, Mar 25, 2019 at 3:39 PM Dominick Baier <dbaier@leastprivilege.com> > wrote: > > Yes I know - and I think in hindsight it was a mistake to use the same > claim type for multiple semantics. > > > > All the “this is OIDC not OAuth” arguments are making things more > complicated than they need to be - in my experience almost no-one (that I > know) does OIDC only - nor OAuth only. They always combine it. > > > > In reality this leads to potential security problems - this spec has the > potential to rectify the situation. > > > > Dominick > > On 25. March 2019 at 14:58:56, Hans Zandbelt (hans.zandbelt@zmartzone.eu) > wrote: > > Without agreeing or disagreeing: OIDC does not apply here since it is not > OAuth and an access token is not an id_token. > > The JWT spec says in https://tools.ietf.org/html/rfc7519#section-4.1.2: > > > > "The "sub" (subject) claim identifies the principal that is the > > subject of the JWT. The claims in a JWT are normally statements > > about the subject. The subject value MUST either be scoped to be > > locally unique in the context of the issuer or be globally unique. > > The processing of this claim is generally application specific" > > > > which kind of spells "client" in case of the client credentials grant but > I also do worry about Resource Servers thinking/acting only in terms of > users > > > > Hans. > > > > On Mon, Mar 25, 2019 at 2:41 PM Dominick Baier <dbaier@leastprivilege.com> > wrote: > > IMHO the sub claim should always refer to the user - and nothing else. > > > > OIDC says: > > > > "Subject - Identifier for the End-User at the Issuer." > > > > client_id should be used to identify clients. > > > > cheers > > Dominick > > > > On 25.. March 2019 at 05:13:03, Nov Matake (matake@gmail.com) wrote: > > Hi Vittorio, > > > > Thanks for the good starting point of standardizing JWT-ized AT. > > > > One feedback. > > The “sub” claim can include 2 types of identifier, end-user and client, in > this spec. > > It requires those 2 types of identifiers to be unique each other in the > IdP context. > > > > I prefer omitting “sub” claim in 2-legged context, so that no such > constraint needed. > > > > thanks > > > > nov > > > > On Mar 25, 2019, at 8:29, Vittorio Bertocci < > vittorio.bertocci=40auth0.com@dmarc.ietf.org> wrote: > > > > Dear all, > > I just submitted a draft describing a JWT profile for OAuth 2.0 access > tokens. You can find it in > https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/. > > I have a slot to discuss this tomorrow at IETF 104 (I'll be presenting > remotely). I look forward for your comments! > > > > Here's just a bit of backstory, in case you are interested in how this doc > came to be. The trajectory it followed is somewhat unusual. > > - Despite OAuth2 not requiring any specific format for ATs, through > the years I have come across multiple proprietary solution using JWT for > their access token. The intent and scenarios addressed by those solutions > are mostly the same across vendors, but the syntax and interpretations in > the implementations are different enough to prevent developers from reusing > code and skills when moving from product to product. > - I asked several individuals from key products and services to share > with me concrete examples of their JWT access tokens (THANK YOU Dominick > Baier (IdentityServer), Brian Campbell (PingIdentity), Daniel Dobalian > (Microsoft), Karl Guinness (Okta) for the tokens and explanations!). > I studied and compared all those instances, identifying commonalities > and differences. > - I put together a presentation summarizing my findings and suggesting > a rough interoperable profile (slides: > https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx > <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx> > ) - got early feedback from Filip Skokan on it. Thx Filip! > - The presentation was followed up by 1.5 hours of unconference > discussion, which was incredibly valuable to get tight-loop feedback and > incorporate new ideas. John Bradley, Brian Campbell Vladimir Dzhuvinov, > Torsten Lodderstedt, Nat Sakimura, Hannes Tschofenig were all there > and contributed generously to the discussion. Thank you!!! > Note: if you were at OSW2019, participated in the discussion and > didn't get credited in the draft, my apologies: please send me a note and > I'll make things right at the next update. > - On my flight back I did my best to incorporate all the ideas and > feedback in a draft, which will be discussed at IETF104 tomorrow. Rifaat, > Hannes and above all Brian were all super helpful in negotiating the > mysterious syntax of the RFC format and submission process. > > I was blown away by the availability, involvement and willingness to > invest time to get things right that everyone demonstrated in the process. > This is an amazing community. > > V. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > > hans.zandbelt@zmartzone.eu > > ZmartZone IAM - www.zmartzone.eu > > > > > -- > > hans.zandbelt@zmartzone.eu > > ZmartZone IAM - www.zmartzone.eu > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > > Vennlig hilsen > > > > Steinar Noem > > Partner Udelt AS > > Systemutvikler > > > > | steinar@udelt.no <steinar@udelt..no> | hei@udelt.no | +47 955 21 620 | > www.udelt.no | > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > > hans.zandbelt@zmartzone.eu > > ZmartZone IAM - www.zmartzone.eu > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > -- > > hans.zandbelt@zmartzone.eu > > ZmartZone IAM - www.zmartzone.eu > > > -- hans.zandbelt@zmartzone.eu ZmartZone IAM - www.zmartzone.eu
- [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Nov Matake
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Pedro Igor Silva
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… CARLIER Bertrand
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… donald.coffin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Nov Matake
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dave Tonge
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Rob Otto
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Steinar Noem
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dave Tonge
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Binningsbø
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Benjamin Kaduk
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… David Waite
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Mike Jones
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Mike Jones
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Binningsbø
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Karl McGuinness
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Neil Madden
- [OAUTH-WG] OAuth security topics Neil Madden
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Neil Madden
- Re: [OAUTH-WG] OAuth security topics Hannes Tschofenig
- [OAUTH-WG] Off Topic: oauth-bounces Neil Madden
- Re: [OAUTH-WG] OAuth security topics Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth security topics Neil Madden
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] Off Topic: oauth-bounces Benjamin Kaduk
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Neil Madden
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth security topics Torsten Lodderstedt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth security topics Neil Madden