Discussion:
[OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
Hannes Tschofenig
2016-08-03 07:45:59 UTC
Permalink
Hi all,

this is the call for adoption of the 'OAuth 2.0 Token Binding' document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.

Here are the links to the documents presented at the last IETF meeting:
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00

Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.

Ciao
Hannes & Derek

*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.
John Bradley
2016-08-03 20:48:04 UTC
Permalink
I accept these documents as a starting point of the Token binding work in OAuth.

John B.
Post by Hannes Tschofenig
Hi all,
this is the call for adoption of the 'OAuth 2.0 Token Binding' document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Derek
*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Mike Jones
2016-08-03 21:11:18 UTC
Permalink
I agree with the adoption of these documents as the starting point for OAuth Token Binding work.

-- Mike

-----Original Message-----
From: OAuth [mailto:oauth-***@ietf.org] On Behalf Of John Bradley
Sent: Wednesday, August 3, 2016 1:48 PM
To: Hannes Tschofenig <***@gmx.net>
Cc: ***@ietf.org
Subject: Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0

I accept these documents as a starting point of the Token binding work in OAuth.

John B.
Post by Hannes Tschofenig
Hi all,
this is the call for adoption of the 'OAuth 2.0 Token Binding'
document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Derek
*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Dirk Balfanz
2016-08-17 07:39:58 UTC
Permalink
Post by John Bradley
I accept these documents as a starting point of the Token binding work in OAuth.
Same here. I accept adoption as a starting point.

Dirk.
Post by John Bradley
John B.
Post by Hannes Tschofenig
Hi all,
this is the call for adoption of the 'OAuth 2.0 Token Binding' document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Derek
*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Torsten Lodderstedt
2016-08-17 08:38:05 UTC
Permalink
+1
Post by John Bradley
I accept these documents as a starting point of the Token binding work in OAuth.
Same here. I accept adoption as a starting point.
Dirk.
John B.
On Aug 3, 2016, at 3:45 AM, Hannes Tschofenig
Hi all,
this is the call for adoption of the 'OAuth 2.0 Token Binding'
document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.
Here are the links to the documents presented at the last IETF
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Derek
*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple
documents.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Vladimir Dzhuvinov
2016-08-04 10:18:25 UTC
Permalink
I agree to have these specs accepted.
Post by Hannes Tschofenig
Hi all,
this is the call for adoption of the 'OAuth 2.0 Token Binding' document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Derek
*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
--
Vladimir Dzhuvinov
Brian Campbell
2016-08-04 16:10:49 UTC
Permalink
I accept these documents as a starting point of the Token binding work in
OAuth.

With emphases on "starting point" because even the initial discussions
about the work in Berlin uncovered changes that'll be necessary or
desirable.
Post by Hannes Tschofenig
Hi all,
this is the call for adoption of the 'OAuth 2.0 Token Binding' document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Derek
*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
George Fletcher
2016-08-04 17:17:08 UTC
Permalink
I accept these documents as a starting point of the Token binding work in OAuth.

George
Post by Hannes Tschofenig
Hi all,
this is the call for adoption of the 'OAuth 2.0 Token Binding' document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Derek
*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Brian Campbell
2016-08-16 18:44:58 UTC
Permalink
Just a friendly reminder that the 'deadline' for this call for adoption is
tomorrow.

According to the minutes from Berlin
<https://www.ietf.org/proceedings/96/minutes/minutes-96-oauth>, 13 people
were in favor of adopting OAuth 2.0 Token Binding and 0 were against.
Post by Hannes Tschofenig
Hi all,
this is the call for adoption of the 'OAuth 2.0 Token Binding' document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Derek
*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Anthony Nadalin
2016-08-16 21:26:35 UTC
Permalink
I’m OK with the https://tools.ietf.org/html/draft-jones-oauth-token-binding-00<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> but not sure that https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> is a good starting point as we would want a more generic solution for PoP tokens in general


From: OAuth [mailto:oauth-***@ietf.org] On Behalf Of Brian Campbell
Sent: Tuesday, August 16, 2016 11:45 AM
To: Hannes Tschofenig <***@gmx.net>
Cc: ***@ietf.org
Subject: Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0

Just a friendly reminder that the 'deadline' for this call for adoption is tomorrow.

According to the minutes from Berlin<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>, 13 people were in favor of adopting OAuth 2.0 Token Binding and 0 were against.

On Wed, Aug 3, 2016 at 1:45 AM, Hannes Tschofenig <***@gmx.net<mailto:***@gmx.net>> wrote:
Hi all,

this is the call for adoption of the 'OAuth 2.0 Token Binding' document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.

Here are the links to the documents presented at the last IETF meeting:
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d>
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>

Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.

Ciao
Hannes & Derek

*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.


_______________________________________________
OAuth mailing list
***@ietf.org<mailto:***@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d>
Brian Campbell
2016-08-22 21:02:00 UTC
Permalink
I agree with Tony, if I understand what he's saying.
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
was largely a straw-man to get the conversation started. But after talking
with people in Berlin, reviewing Dirk's document, and thinking about it
some more - it's not clear that PKCE is a great fit for token binding the
authorization code.

Token binding the authorization code is, I think, something we want to
account for. But using/extending PKCE might not be the way to go about it.
And whatever approach we land on should probably be just one part of the
larger document on OAuth 2.0 Token Binding.
Post by Anthony Nadalin
I’m OK with the https://tools.ietf.org/html/draft-jones-oauth-token-
binding-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d>
but not sure that https://tools.ietf.org/html/
draft-campbell-oauth-tbpkce-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
is a good starting point as we would want a more generic solution for PoP
tokens in general
Campbell
*Sent:* Tuesday, August 16, 2016 11:45 AM
*Subject:* Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
Just a friendly reminder that the 'deadline' for this call for adoption is tomorrow.
According to the minutes from Berlin
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>,
13 people were in favor of adopting OAuth 2.0 Token Binding and 0 were
against.
On Wed, Aug 3, 2016 at 1:45 AM, Hannes Tschofenig <
Hi all,
this is the call for adoption of the 'OAuth 2.0 Token Binding' document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d>
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Derek
*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d>
Torsten Lodderstedt
2016-08-23 14:36:02 UTC
Permalink
+1

I would also propose to focus use of token binding to detect replay of
tokens (access, refresh, code)
Post by Brian Campbell
I agree with Tony, if I understand what he's saying.
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
was largely a straw-man to get the conversation started. But after
talking with people in Berlin, reviewing Dirk's document, and thinking
about it some more - it's not clear that PKCE is a great fit for token
binding the authorization code.
Token binding the authorization code is, I think, something we want to
account for. But using/extending PKCE might not be the way to go
about it. And whatever approach we land on should probably be just one
part of the larger document on OAuth 2.0 Token Binding.
On Tue, Aug 16, 2016 at 3:26 PM, Anthony Nadalin
I’m OK with the
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d>
but not sure that
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
is a good starting point as we would want a more generic solution
for PoP tokens in general
*Sent:* Tuesday, August 16, 2016 11:45 AM
*Subject:* Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
Just a friendly reminder that the 'deadline' for this call for
adoption is tomorrow.
According to the minutes from Berlin
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>,
13 people were in favor of adopting OAuth 2.0 Token Binding and 0
were against.
On Wed, Aug 3, 2016 at 1:45 AM, Hannes Tschofenig
Hi all,
this is the call for adoption of the 'OAuth 2.0 Token Binding' document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d>
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Derek
*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
William Denniss
2016-08-23 19:54:05 UTC
Permalink
+1 to adopt.

I would like us to develop a unified approach and merge the current drafts.
Post by Torsten Lodderstedt
+1
I would also propose to focus use of token binding to detect replay of
tokens (access, refresh, code)
I agree with Tony, if I understand what he's saying.
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
was largely a straw-man to get the conversation started. But after talking
with people in Berlin, reviewing Dirk's document, and thinking about it
some more - it's not clear that PKCE is a great fit for token binding the
authorization code.
Token binding the authorization code is, I think, something we want to
account for. But using/extending PKCE might not be the way to go about it.
And whatever approach we land on should probably be just one part of the
larger document on OAuth 2.0 Token Binding.
Post by Anthony Nadalin
I’m OK with the
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d>
but not sure that
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
is a good starting point as we would want a more generic solution for PoP
tokens in general
Campbell
*Sent:* Tuesday, August 16, 2016 11:45 AM
*Subject:* Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
Just a friendly reminder that the 'deadline' for this call for adoption is tomorrow.
According to the minutes from Berlin
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>,
13 people were in favor of adopting OAuth 2.0 Token Binding and 0 were
against.
On Wed, Aug 3, 2016 at 1:45 AM, Hannes Tschofenig <
Hi all,
this is the call for adoption of the 'OAuth 2.0 Token Binding' document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d>
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Derek
*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d>
_______________________________________________
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
John Bradley
2016-08-23 20:22:33 UTC
Permalink
Yes I think merging the drafts and not reusing PKCE is the correct path.

Protection for code in the browser redirect also needs to be added to fully protect the whole flow.

John B.
Post by William Denniss
+1 to adopt.
I would like us to develop a unified approach and merge the current drafts.
+1
I would also propose to focus use of token binding to detect replay of tokens (access, refresh, code)
I agree with Tony, if I understand what he's saying. https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> was largely a straw-man to get the conversation started. But after talking with people in Berlin, reviewing Dirk's document, and thinking about it some more - it's not clear that PKCE is a great fit for token binding the authorization code.
Token binding the authorization code is, I think, something we want to account for. But using/extending PKCE might not be the way to go about it. And whatever approach we land on should probably be just one part of the larger document on OAuth 2.0 Token Binding.
I’m OK with the https://tools.ietf.org/html/draft-jones-oauth-token-binding-00 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d> but not sure that https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d> is a good starting point as we would want a more generic solution for PoP tokens in general
  <>
Sent: Tuesday, August 16, 2016 11:45 AM
Subject: Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
Just a friendly reminder that the 'deadline' for this call for adoption is tomorrow.
According to the minutes from Berlin <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>, 13 people were in favor of adopting OAuth 2.0 Token Binding and 0 were against.
Hi all,
this is the call for adoption of the 'OAuth 2.0 Token Binding' document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d>
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Derek
*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
John Bradley
2016-08-23 21:01:38 UTC
Permalink
Yes I think merging the drafts and not reusing PKCE is the correct path.

Protection for code in the browser redirect also needs to be added to fully
protect the w

On Aug 23, 2016, at 4:54 PM, William Denniss <***@google.com> wrote:

+1 to adopt.

I would like us to develop a unified approach and merge the current drafts.
Post by Torsten Lodderstedt
+1
I would also propose to focus use of token binding to detect replay of
tokens (access, refresh, code)
I agree with Tony, if I understand what he's saying.
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
was largely a straw-man to get the conversation started. But after talking
with people in Berlin, reviewing Dirk's document, and thinking about it
some more - it's not clear that PKCE is a great fit for token binding the
authorization code.
Token binding the authorization code is, I think, something we want to
account for. But using/extending PKCE might not be the way to go about it.
And whatever approach we land on should probably be just one part of the
larger document on OAuth 2.0 Token Binding.
Post by Anthony Nadalin
I’m OK with the https://tools.ietf.org/html/draft-jones-oauth-token-
binding-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d>
but not sure that https://tools.ietf.org/html/
draft-campbell-oauth-tbpkce-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
is a good starting point as we would want a more generic solution for PoP
tokens in general
Campbell
*Sent:* Tuesday, August 16, 2016 11:45 AM
*Subject:* Re: [OAUTH-WG] Call for adoption: Token Binding for OAuth 2.0
Just a friendly reminder that the 'deadline' for this call for adoption is tomorrow.
According to the minutes from Berlin
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fproceedings%2f96%2fminutes%2fminutes-96-oauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=5UfCdNKt2iVuFfdiSELqGto9yFSuzjRvdk9rBlGyMz8%3d>,
13 people were in favor of adopting OAuth 2.0 Token Binding and 0 were
against.
On Wed, Aug 3, 2016 at 1:45 AM, Hannes Tschofenig <
Hi all,
this is the call for adoption of the 'OAuth 2.0 Token Binding' document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-token-binding-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=xvSOCX9FFLdJWikbxzxKgjEWjU%2frqZs1mmsvNsFHWZw%3d>
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-campbell-oauth-tbpkce-00&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=gDQIAohk3uNIMgRl5dNgofQr832IWlboumgfycnPmYg%3d>
Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Derek
*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caaa85f447951456bf73c08d3c60582aa%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=E9HUI5JUL%2fYw%2fvnEWGBwEu28r%2fNdF53rdoLP5%2fU46uU%3d>
_______________________________________________
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Hannes Tschofenig
2016-09-07 15:15:13 UTC
Permalink
The call for the token binding draft has been concluded and I asked the
authors to submit a -00 WG document version.

Ciao
Hannes
Post by Hannes Tschofenig
Hi all,
this is the call for adoption of the 'OAuth 2.0 Token Binding' document
bundle* following the positive call for adoption at the recent IETF
meeting in Berlin.
https://tools.ietf.org/html/draft-jones-oauth-token-binding-00
https://tools.ietf.org/html/draft-campbell-oauth-tbpkce-00
Please let us know by August 17th whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Ciao
Hannes & Derek
*: We will find out what the best document structure is later, i.e.,
whether the content should be included in one, two or multiple documents.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Loading...