
IETF 95 OAuth Meeting Agenda
Wednesday, 10:00-12:30
Chairs: Hannes Tschofenig/Derek Atkins

Meeting Minute Taker: Leif Johansson

Agenda
======

- Status Update (Hannes, 5 min)

 (a) Informal OAuth Security Workshop (December 2015)
 (b) OAuth Security Workshop (July 2016)
 (c) Re-chartering
 (d) "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)" as RFC

*** WG Documents ***

- OAuth 2.0 Mix-Up Mitigation (Hannes, 45 min) https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/

  Presentation about the problems/threats we are solving:
  (a) OAuth Mix-Up (John)
  (b) Cut-and-paste Attack (Nat)

  Move cut-and-paste threat to a different document?

- OAuth Discovery (45min)

  What are the use cases the discovery document is solving?

  OAuth 2.0 Authorization Server Discovery Metadata (Mike, 15 min) https://datatracker.ietf.org/doc/draft-ietf-oauth-discovery/

  OAuth Response Metadata (Nat, 15min)
https://datatracker.ietf.org/doc/draft-sakimura-oauth-meta/

  OAuth 2.0 Bound Configuration Lookup (Phil, 15min)
https://tools.ietf.org/html/draft-hunt-oauth-bound-config-00

- Token Exchange (Brian, 15 min)
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/

  What has been done and discuss open issues?
  Implementation status? Interoperability?

- OAuth 2.0 for Native Apps (William, 15 min) http://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/

  Presentation of availability of code. Moving the document to WGLC as soon as enough people did interop tests.

*** Non-WG Documents ***

- Resource Indicators for OAuth 2.0 (Brian/John, 15 min) https://datatracker.ietf.org/doc/draft-campbell-oauth-resource-indicators/

*** Not Discussed ***

- Authentication Method Reference Values document published.
https://datatracker.ietf.org/doc/draft-ietf-oauth-amr-values/

- Proof-of-Possession
http://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/
http://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/
https://datatracker.ietf.org/doc/draft-ietf-oauth-signed-http-request/

- OAuth 2.0 JWT Authorization Request (JAR) https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/

  Why is the document important? (related to mix-up attack)
  After the WGLC is the document ready?

- OAuth 2.0 Security: Closing Open Redirectors in OAuth https://datatracker.ietf.org/doc/draft-ietf-oauth-closing-redirectors/

  Haven't received more feedback. WGLC?

- OAuth 2.0 Device Flow
https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/

  Compare the document with current deployment and provide feedback.
  Mike to send feedback from the Microsoft team.

- Conclusion (Hannes, 10 min)

Meeting Notes
============

Hannes reviews developments since Yokohama
    - security workshop hosted by DT to discuss mix-up security vulnerability
    - created list for submitting oauth security vulnerability
    - next security workshop july 2016 announced
    - review recharter and new milestones

OAuth 2.0 Mix-up mitigation
    - John presenting mix-up attacks and mitigation
    - Descussion about the attack and implications at the mic
    - Nat presenting cut and paste attack
    - WG discussed how to structure documents describing mitigations to these attacks
    - Barrys advise: create a document that describes threats and updates the normative documents with mitigation. At some point in the future roll it all up into a -bis

OAuth Discovery
    - Mike Jones presenting drft-ietf-oauth-discovery-02

OAuth Meta
    - Nat presents metadata draft.
    - Discussion at the mic about overlap with other drafts and other issues

Oauth2 Bound configuration
    - Phil Hunt presents his draft
    - Discussion at the mic about overlaps and relationships with other drafts including those already presented in the session.
    - LJ suggests design-team to come up with a consistent model for discovery and metadata
    - More discussion at the mic about the merits of standard metadata models
    - Chair formed a design team: John, Mike, Brian (who doesn't think we need a design team), Dick Heart, Phil, Tony, Nat

Token Exchange
    - Brian presenting draft-ietf-oauth-token-exchange-03
    - Mike at mic noting there are no implementations yet. Should have that before WGLC.
    - Jim Fenton: we have implmentation that could be adapted to this.

OAuth 2.0 for native apps
    - William Denniss presents draft BCP. Notes involvement from local Argentinian developers in a django oidc plugin implementing the BCP

Resource Indicators for OAuth 2.0 (Brian/John, 15 min)
    - Brian C presents draft-campbell-oauth-resource-indicators-01
    - Torsten L at mic talking about relationship between this and scopes
    - Discussion at mic follows on this topic
    - Chair calls for adopting work in WG. 10 hands raised for, 0 against, 1 for not enough data. To be confirmed on mailing list but reflects rough consensus.

John Bradley sang a few notes from the Sound of Music to end the meeting.