Romaon Danyliw - AD
Rifaat Shekh-Yusef – Chair
Dick Hardt – Notetaker
JWT -> IESG
OAuth 2.1 is WG doc
JWT Profile for Access Tokens
JWT Secure AuthZ – JAR
Roman: I am aware of the JWT Introspection and will take a look. JAR is on the coming telechat agenda.
Mike: Check 6749 errata to ensure it is included
Roman: Check any errata on any of the reference documents
Vittorio: Refresh Token MUST for SPA and SHOULD for mobile apps.
Justin: volunteers to review OAuth 2.1
Like to see notion of sender constraining access tokens to have more prominence.
A lot of leaning on OpenID Connect, and not step into OpenID Connect territory.
Vittorio: implicit is used and is safe in OpenIC Connect form post flows, and depreciating it in OAuth 2.1 is problematic. A carve out for implicit use in OpenID Connect form post flow.
Aaron: implicit flow is not described in OAuth 2.1, rather than being deprecated.
Justin: if implicit and password are not mentioned, then people may think that protocol is extensible, and the flows could be used. Some language describing implicit grant.
Mike: support Vittorio's suggestion. State that implicit with form post is not dangerous.
Aaron: describe what is safe -- implicit from authz endpoint is ok, but from token endpoint is not.
Dick: address the implicit etc. in security considerations.
Mike: the implicit flow also applies to returning Access Token in addition to ID Token
Aaron: the AS does not know the Access Token was delivered to the Client.
Mike: we want to make sure people can keep using that are safe.
Justin: Can OAuth 2.0 and OAuth 2.1 talk to each other? Do we keep in plain transformation for code challenge?
Aaron: Are there any attacks in the plain transformation? Has the security BCP ruled out using plain transformation?
Justin: more description on what compatibility means?
Dick: what is not compatible?
Justin: OAuth 2.0 is different from OAuth 2.1.
Aaron: call out more about what is different -- OAuth 2.1 is OAuth 2.0 with best practices.
Justin: will make suggested changes when reviewing the document.
#Document Review Volunteers:
* Justin Richer
* Mike Jones
* Vittorio Bertocci
Tony: difference between obsolete and depreciate.
Dick: I took the same langauge as was in 6749
Aaron: took it to mean that people should look at OAuth 2.1
Roman: obsolete means OAuth 2.1 is what the IETF is recommended. For example, TLS 1.2 is still used, even though TLS 1.3 is what is recommended.
Filip: what about other referenced documents? Are they obsoleted?
Roman: we will need to discuss in the WG and the metadata in the OAuth 2.1 document what is being obsoleted.
Rifaat: How does obsolete relate to deprecated?
Roman: there is no concept of deprecated. There is the concept of a historic document, but that is stuff that is not being used in the world.
Rifaat: many people may not be clear on what obsolete means.
Roman: this is IETF definitions and we need to provide clarity in the document so readers understand the intent.