# OAuth - Thursday - IETF 102 Tony Nadalin taking notes # POP Tokens Oauth 2.0 Proof-of-possession Tokens – Hannes Refresher on PoP Tokens Interactions between Client and the AS (Asymmetric Keys) Status ACE-Oauth POP-Functionality CoAP and HTTPO are using this WebRTC us also using PoP Tokens DTLS usage Open Issues Where should the HTTP-based parameter Definitions go “alg” vs “profile” Parameter How should the transport parameter go ACE-Oauth defined Parameters Audience, Confirmation and Profile, these are also defined for token introspection John B. Don’t use audience as a parameter, also making these parameters is hard, experience form Token Binding so piggy back on Token Binding Ongoing discussion on using “aud” in a request, so different names are needed, so just use a different name don’t overload the “aud” existing claim, check for conflicts Mike wants to adopt Resource Indicator draft What is needed? Protocol Token Type Security Protocol Lots of conflicts between Oauth and ACE OAuth # Distributed Oauth – Dick Hardt Presented in Singapore, Nat and Brian have joined as editors AS Discovery problem – static relationship between AS and resource but this needs to change, so how do you find the right AS Access Token reuse, - token may not have a the right scope for the different AS UTM Security Model, uses cases for aviation HTTP 401 responsesb, client discovers AS, discovers resource URI also Client confirms resource URI Client then know where the AS is PoP – AS reuses the client credentials at different Many different options here to discuss Next steps Add resource URI to code flow Sender constrained access tokens Call to adopt as WG draft, hum indicated to adopt, will be taken to list Should we adopt the Resource Indicator as WG draft, hum indicates to adopt Best Security Practices Document Feedback from security researchers, read the document Recommendations in document Exact redirect URI matching Onetime use tokens Status Latest version on -06 Open issues Crypro agility Audiance restrictions