Romaon Danyliw - AD

Rifaat Shekh-Yusef – Chair

Dick Hardt – Notetaker

Aaron Parecki

Anthony Nadalin

Bhupinder Singh

Brock Allen

Justin Richer

Mike Campbell

Peter Yee

Time Cappalli

Vittorio Bertocci

Francis Pouatcha 

Bjorn Hjelm

Mike Jones

Bob Natale

Sergey Puzin

Filip Skokan



Updates from Rifaat



OAuth 2.1 is WG doc

JWT Profile for Access Tokens

JWT Secure AuthZ – JAR


Roman: I am aware of the JWT Introspection and will take a look. JAR is on the coming telechat agenda. 



OAuth 2.1 is topic today


Mike: Check 6749 errata to ensure it is included


Roman: Check any errata on any of the reference documents


Vittorio: Refresh Token MUST for SPA and SHOULD for mobile apps.


Justin: volunteers to review OAuth 2.1

Like to see notion of sender constraining access tokens to have more prominence.

A lot of leaning on OpenID Connect, and not step into OpenID Connect territory.


Vittorio: implicit is used and is safe in OpenIC Connect form post flows, and depreciating it in OAuth 2.1 is problematic. A carve out for implicit use in OpenID Connect form post flow.


Aaron: implicit flow is not described in OAuth 2.1, rather than being deprecated. 


Justin: if implicit and password are not mentioned, then people may think that protocol is extensible, and the flows could be used. Some language describing implicit grant. 


Mike: support Vittorio's suggestion. State that implicit with form post is not dangerous. 


Aaron: describe what is safe -- implicit from authz endpoint is ok, but from token endpoint is not.


Dick: address the implicit etc. in security considerations.


Mike: the implicit flow also applies to returning Access Token in addition to ID Token


Aaron: the AS does not know the Access Token was delivered to the Client.


Mike: we want to make sure people can keep using that are safe.


Justin: Can OAuth 2.0 and OAuth 2.1 talk to each other? Do we keep in plain transformation for code challenge?


Aaron: Are there any attacks in the plain transformation? Has the security BCP ruled out using plain transformation?


Justin: more description on what compatibility means?


Dick: what is not compatible?


Justin: OAuth 2.0 is different from OAuth 2.1.


Aaron: call out more about what is different -- OAuth 2.1 is OAuth 2.0 with best practices.


Justin: will make suggested changes when reviewing the document.


#Document Review Volunteers:

* Justin Richer

* Mike Jones

* Vittorio Bertocci


Tony: difference between obsolete and depreciate.


Dick: I took the same langauge as was in 6749


Aaron: took it to mean that people should look at OAuth 2.1


Roman: obsolete means OAuth 2.1 is what the IETF is recommended. For example, TLS 1.2 is still used, even though TLS 1.3 is what is recommended.


Filip: what about other referenced documents? Are they obsoleted?


Roman: we will need to discuss in the WG and the metadata in the OAuth 2.1 document what is being obsoleted.


Rifaat: How does obsolete relate to deprecated?


Roman: there is no concept of deprecated. There is the concept of a historic document, but that is stuff that is not being used in the world.


Rifaat: many people may not be clear on what obsolete means.


Roman: this is IETF definitions and we need to provide clarity in the document so readers understand the intent.



Meeting Recordings