Comments (7)
ioggstream
commented on September 15, 2024
Note:
If the access token response contains a different `token_type` value than `DPoP` in the response, the
access token protection provided by DPoP is not given.
In this case, if this protection is deemed important for the security of the
application, the client MUST discard the response and MAY continue as in a regular OAuth interaction otherwise.
Is that interoperable?
from draft-dpop.
b---c
commented on September 15, 2024
Note:
The second sentence there is pretty awkward and should be reworded.
from draft-dpop.
b---c
commented on September 15, 2024
There are some requirements that folks have specifically asked to be repeated for pragmatic and reasonable reasons (#106 being a recent one). That is to say that a lot of what is in the document is there for some reason or another. If there's specific redundant language that you believe is problematic, please raise such instances for discussion. But I'm reluctant to make changes at this point that might undo content that has been requested.
from draft-dpop.
ioggstream
commented on September 15, 2024
There are some requirements that folks have specifically asked to be repeated
My personal view is that, in a specification, repeating requirements increases the probability of introducing inconsistencies.
I will PR specific points though :)
from draft-dpop.
b---c
commented on September 15, 2024
I'm of course aware that repeating requirements increases the probability of inconsistencies. But that is but one consideration and reality is messy - six fricking co-authors on a draft developed over years trying to capture (rough) consensus on a topic about which there are many opinions is messy. Trying to introduce substantial changes, regardless of the quality of the intent, at this point in the doc lifecycle also introduce risk of introducing inconsistencies or other issues as well as risk of inadvertently undoing things that are there for legitimate reason.
from draft-dpop.
ioggstream
commented on September 15, 2024
I understand: the Digest work is lasting years, and while it started with a simple rewriting of an existing spec, it now introduces 4 new fields, deprecated 2 and relies on structured fields thus making the syntax of the new fields not compatible with the old ones :P
Sadly I still need some time to address each point separately.
from draft-dpop.
b---c
commented on September 15, 2024
I have no doubt the Digest work has been frustrating.
I'm aiming to keep this draft moving forward by avoiding unneeded changes.
from draft-dpop.
Related Issues (20)
- Requirement for servers to reject DPoP proofs that contain private keys HOT 2
- Requests are HTTP, not HTTPS HOT 1
- There is no charset parameter defined for x-www-form-urlencoded HOT 1
- Reference "confidential client" from oauth2 ? HOT 1
- a client MAY send a DPoP-bound access token using the `Bearer` scheme upon receipt of a `WWW-Authenticate HOT 3
- Editorial: nonces HOT 6
- Artwork line wrapping per RFC 8792 HOT 2
- Other methods to bound a PK with an AT HOT 3
- Import token68 syntax, don't replicate it HOT 1
- No normative language in security considerations HOT 2
- Considerations for new authentication schemes HOT 4
- Considerations on stripping query parameter from requests HOT 3
- little more detail on PKCE/dpop_jkt and code injection
- Resource servers and new nonce values via 200 OK HOT 2
- add note(s) about exposing/allowing headers w/ CORS HOT 4
- RFC723x are now superseeded by RFC9110
- AS providing new nonce in authorization code grant should not consume authorization code HOT 3
- ref JWT BCP HOT 1
- Mention correlation attack HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from draft-dpop.