Web Authorization Protocol (OAuth)
==================================

Date: WEDNESDAY, November 12, 2014
Time: 0900-1130 HST
Room: Lehua Suite

Minute Taker: Brian Rosen

* WG Status Check 

- JWT (Mike)
http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/

Mike: No remaining DISCUSSes

- Assertions (Brian)
http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/
http://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bearer/
http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/

Mike channelling Brian): No remaining DISCUSSes

- Dynamic Client Registration (Justin)
http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/
http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg-management/

Justin: Document is awaiting IESG review. Management shepherd writeup complete but not submitted. Multiple implementations of both specs exist

Brian (from remote) asked whether draft-ietf-oauth-dyn-reg-management allows for the kind of stateless client id that Bradley described in draft-bradley-oauth-stateless-client-id.
(Background note: draft-ietf-oauth-dyn-reg-management still has text that says, 'The value of the "client_id" MUST NOT change from the initial registration response.' which makes it incompatible with the concepts described in draft-bradley-oauth-stateless-client-id.)

Question was raised whether draft-bradley-oauth-stateless-client-id should be published as a BCP - it is an implementation issue rather than a protocol standard. John said that he would resubmit the expired draft. 

- IPR Disclosure on OAuth (Chairs)

Nokia submitted an IPR disclosure late.  No comments received.  
<no response in room>

- Milestone Check / Status of Charter Update

Hannes showed the status and noted that he has to work with Kathleen to get the milestones and the charter text updated. 

* OAuth & Authentication (Justin)

Write-up by Justin: 
http://www.ietf.org/mail-archive/web/oauth/current/msg13708.html

Justin presented the text he wrote about authentication and OAuth, which is published on http://oauth.net/articles/authentication
Participants noted that the write-up is not a consensus document, and authentication is not in scope of the working group. 
Chairs: We can at any time update the charter to make work in scope (as we did in the past with other items) -- assuming there is interest and consensus to do so. 

Kathleen: User authentication work is currently not in scope, but we could add it

Justin: Lots of mail list discussion, I don't think we have consensus to do it

Phil: Authentication has been on the sideline for a while. We wanted to create an informational document describing the problems and get consensus

Chairs: Who wants to work on an authentication document?
<lots of support, no objections>

Chairs: Who will contribute text? John, Tony, Phil, Steve Friedl (Cisco).  
Who will review? Justin, Mike, Leif, Lucy, Klaas

* Token Exchange (Mike)
http://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/

Need comments, no update planned until we get some.

John: Brian and I did wrote a doc to look at another way. Lots of subtlety.  

Justin: Need to incorporate token-agnostic part separate from assertion based part

Mike: That's different functionality; you need to write a different draft

Justin: I did

Tony: We accepted this draft as a starting point,  we need submissions to add other work

Justin: This document is "act as" and "on behalf of".  Need syntax of swapping tokens to be more general.

Discussion due to the confusion about the scope of the document. 

Chairs: Maybe a conference call to look at the docs and see where we are and where to go from here

* Proof-of-Possession (Hannes, Mike)
http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/
http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/
http://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/
http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/

Discussion about the HTTP signing specification and how to best approach the topic. 
Feedback needed. 

Chairs: Chairs ask the group whether the architecture/use case/requirements document is ready for WGLC? 
<lots of support>

* SPOP (Nat)
http://datatracker.ietf.org/doc/draft-ietf-oauth-spop/

Nat explained the draft changes since the WGLC. 

Bill raised the concern that the WGLC was issued too early. 

Chairs reacted to his concern and pointed to the problems observed in the wild. It looked like a simple doc, so WGLC was a good way to accelerate feedback. 

Discussion of changes in the document and various design decisions. 

Chairs suggested to add further text to the introduction and to the security considerations about the attacker assumptions and the nonce use. 
Nat & John said that they will publish a new version this week (which happened in the meanwhile). The new version also contains a figure describing the attack. 

* Token Introspection (Justin)
http://datatracker.ietf.org/doc/draft-ietf-oauth-introspection/

Justin: Stable for years, mostly uses JWT stuff.  Multiple implementations exist, not a lot of interop testing.  Different platforms and languages (on client side esp).  Ready for WGLC.

Chairs: Who has read it
<4-5 hands>

Tony: Issues raised last Q&A session not handled, such as encrypted tokens and proof-of-possession integration.

Justin: Encrypted tokens can be used without a lot of change. Of course, the authorization server needs to have access to the key to decrypt the token.  For proof of possession tokens, don't think baked enough to know what to send for introspection.

Chairs: Should we hold this one up for PoP to progress or do a separate doc? 

Justin: like bearer tokens, ship now, do another draft for proof of possession either as bis or a separate doc.  Important to nail down the json doc that comes back.

Chairs: Humm for ready for WGLC
<very few humms>

Chairs: Re-spin and we will check again

Lucy: Not happy with spin and check again.  Going to WGLC forces folks to comment or give up.

Tony: we bring up proof of possession and encryption and no changes were made

Chairs: We need text input to progress the document. If we have no text, we will do last call on Dec 1. 

* Request by JWS ver.1.0 for OAuth 2.0	
http://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/

Nat is looking for feedback. 

* Misc 

John reported a security problem where a 302 redirect without user interaction causes security problems. 
Do we want to say somthing about this?  Implementation guidance somewhere?

Chairs: Is this written up?

John: Yes, on mailing list.

Justin: This might be a good example for the oauth.net article section because it's implementation advice, not a change to the protocol.

Kathleen: With current docs in IESG last call, requested a mail list jwt-reg-review. We will have to create the review list. 

Hannes takes action item to create the list and to update the description on the non-IETF working group mailing list page