IETF
oauth@jabber.ietf.org
Friday, July 26, 2019< ^ >
aaronpk has set the subject to: OAUTH at IETF105 https://datatracker.ietf.org/meeting/105/session/oauth Notes: https://etherpad.ietf.org/p/notes-ietf-105-oauth
Room Configuration
Room Occupants

GMT+0
[01:18:38] aaronpk joins the room
[01:34:54] aaronpk joins the room
[01:35:53] aaronpk leaves the room: unknown reason
[01:36:53] aaronpk leaves the room: unknown reason
[01:51:11] aaronpk joins the room
[03:48:16] bkero joins the room
[03:48:33] bkero leaves the room: Stream closed by us: Replaced by new connection (conflict)
[03:48:44] bkero joins the room
[03:48:56] bkero leaves the room: Stream reset by peer
[03:49:16] aaronpk leaves the room: unknown reason
[04:30:34] aaronpk joins the room
[13:16:10] aaronpk joins the room
[13:17:08] aaronpk leaves the room: unknown reason
[13:18:08] aaronpk leaves the room: unknown reason
[13:43:29] Meetecho joins the room
[13:48:45] aaronpk joins the room
[13:55:14] Filip Skokan joins the room
[13:55:14] Fady Abdelmalik joins the room
[13:55:48] <Filip Skokan> :wave:
[13:57:21] Fady Abdelmalik leaves the room
[13:58:23] Petteri Stenius joins the room
[14:00:26] Torsten Lodderstedt joins the room
[14:02:48] Brian Campbell joins the room
[14:03:47] <Brian Campbell> I"m going to be jabber proxy to the room here in Canada
[14:04:30] Bjorn Hjelm joins the room
[14:05:00] Bjorn Hjelm leaves the room
[14:05:02] Bjorn Hjelm joins the room
[14:05:15] Bjorn Hjelm leaves the room
[14:05:16] Bjorn Hjelm joins the room
[14:14:33] <Torsten Lodderstedt> Can you please explain, why a RS needs to distinguish whether the sub is a user or an app?
[14:14:49] Josh Cain joins the room
[14:19:03] roman joins the room
[14:19:20] <roman> draft-ietf-secevent-subject-identifiers-05 is the SECEVENT draft just mentioned
[14:22:21] <Brian Campbell> does Annabel's question cover yours Dr.  Lodderstedt?
[14:22:36] <Torsten Lodderstedt> it does.
[14:29:11] <Filip Skokan> OIDC's refresh token + id token behaviour agrees here, even after refreshing the newly issued id token is supposed to have the original auth_time, acr and amr
[14:29:59] <Filip Skokan> deviating the behaviour for an issued JWT AT is confusing me
[14:32:30] <Brian Campbell> sorry Filip, time got cut off
[14:32:53] <Filip Skokan> np ;) i'll speak my mind on the list when it comes up
[14:36:13] Filip Skokan leaves the room
[14:36:14] <Brian Campbell> i copied and sent it cc you in an email to Vittorio fwiw
[14:36:15] Filip Skokan joins the room
[14:37:03] Filip Skokan leaves the room
[14:37:05] Filip Skokan joins the room
[14:38:29] roman leaves the room: Disconnected: closed
[14:38:43] <Torsten Lodderstedt> I think Same-Domain Applications do not belong into this BCP, if you want to describe this pattern, write up another ID
[14:38:50] <Torsten Lodderstedt> does
[14:39:20] francesca joins the room
[14:39:41] roman joins the room
[14:42:24] <Torsten Lodderstedt> We either need to describe it with all the consequences (including threat analysis and security recommandations).
[14:46:38] <Filip Skokan> leave it out or ref, BCP covers it
[14:48:12] <Torsten Lodderstedt> +1
[14:48:17] <Filip Skokan> +100
[14:51:49] <Torsten Lodderstedt> I don't believe this is a good idea w/o sender constraining
[14:55:03] <Torsten Lodderstedt> Why using a backend, if you in the end send the AT to the browser?
[14:59:00] <Filip Skokan> SPAs need a way to get fresh access tokens or access tokens for another RS (using resource indicators). Without Refresh Tokens, whats a reliable way to get those? Iframes rely on 3rd party cookie access which is in the crosshairs of pretty much every browser vendor nowadays, constantly redirecting blows UX, so does pop up since it requires end-user interaction. Either we put forth restrictions on the AS and Client to be able to get Refresh Tokens (e.g. using DPoP / sender constraining, rotating on every use, smth else...) or get searching for a completely new mechanism.
[15:00:38] <Filip Skokan> no need to proxy Brian, Aaron is on the same though track
[15:01:38] <Filip Skokan> :D
[15:02:07] <Brian Campbell> hehe yeah
[15:43:46] Josh Cain leaves the room
[15:44:54] <Filip Skokan> hummmm
[15:46:07] <Filip Skokan> (to bring it)
[15:46:57] <aaronpk> where is the current draft?
[15:47:09] <Filip Skokan> https://bitbucket.org/openid/fapi/src/master/Financial_API_Pushed_Request_Object.md
[15:47:27] <aaronpk> thanks
[16:00:39] francesca leaves the room
[16:01:41] Brian Campbell leaves the room
[16:02:24] Petteri Stenius leaves the room
[16:02:28] Torsten Lodderstedt leaves the room
[16:02:42] Filip Skokan leaves the room
[16:02:57] Bjorn Hjelm leaves the room
[16:03:12] Meetecho leaves the room
[16:03:25] aaronpk leaves the room: unknown reason
[16:03:53] roman leaves the room: Disconnected: closed
[16:11:35] aaronpk joins the room
[16:22:52] francesca joins the room
[16:22:58] francesca leaves the room
[16:23:55] aaronpk leaves the room: unknown reason
[16:25:16] roman joins the room
[16:29:04] aaronpk joins the room
[16:30:04] aaronpk leaves the room
[16:30:37] aaronpk joins the room
[16:41:12] roman leaves the room
[16:42:15] aaronpk leaves the room: unknown reason
[22:02:41] aaronpk joins the room
Powered by ejabberd - robust, scalable and extensible XMPP server Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!