45°F

Aaron Parecki

#ietf

  • IETF 109 Bangkok
    Nov
    14
    Nov
    Nov
    20
    November 14-20, 2020
    7 days
    Bangkok Marriott Marquis Queen's Park
    แขวงคลองเตย, จังหวัดกรุงเทพมหานคร, THA
    #ietf #oauth #okta
    permalink
  • IETF 108 Madrid
    Jul
    25
    Jul
    Jul
    31
    July 25-31, 2020
    7 days
    Meliá Castilla
    Madrid, Comunidad de Madrid, ES
    #ietf #oauth #okta
    permalink

  • First Draft of OAuth 2.1

    Aaron Parecki
    Wed, Mar 11, 2020 5:22pm -07:00

    I'm happy to share that Dick and Torsten and I have published a first draft of OAuth 2.1. We've taken the feedback from the discussions on the list and incorporated that into the draft.

    tools.ietf.org/html/draft-parecki-oauth-v2-1-01

    A summary of the differences between this draft and OAuth 2.0 can be found in section 12, and I've copied them here below.

    This draft consolidates the functionality in OAuth 2.0 (RFC6749), OAuth 2.0 for Native Apps (RFC8252), Proof Key for Code Exchange (RFC7636), OAuth 2.0 for Browser-Based Apps (I-D.ietf-oauth-browser-based-apps), OAuth Security Best Current Practice (I-D.ietf-oauth-security-topics), and Bearer Token Usage (RFC6750).

    Where a later draft updates or obsoletes functionality found in the original [RFC6749], that functionality in this draft is updated with the normative changes described in a later draft, or removed entirely.

    A non-normative list of changes from OAuth 2.0 is listed below:

    • The authorization code grant is extended with the functionality from PKCE ([RFC7636]) such that the only method of using the authorization code grant according to this specification requires the addition of the PKCE mechanism
    • Redirect URIs must be compared using exact string matching as per Section 4.1.3 of [I-D.ietf-oauth-security-topics]
    • The Implicit grant ("response_type=token") is omitted from this specification as per Section 2.1.2 of [I-D.ietf-oauth-security-topics]
    • The Resource Owner Password Credentials grant is omitted from this specification as per Section 2.4 of [I-D.ietf-oauth-security-topics]
    • Bearer token usage omits the use of bearer tokens in the query string of URIs as per Section 4.3.2 of [I-D.ietf-oauth-security-topics] * Refresh tokens must either be sender-constrained or one-time use as per Section 4.12.2 of [I-D.ietf-oauth-security-topics]

    tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-12

    I'm excited for the direction this is taking, and it has been a pleasure working with Dick and Torsten on this so far. My hope is that this first draft can serve as a good starting point for our future discussions!

    likes 27 reposts 2 replies 4 mentions
    #oauth #oauth2 #ietf #oauth21

  • Implicit flow in the Security BCP draft -14

    Aaron Parecki
    Wed, Feb 12, 2020 3:43pm -08:00

    Hi all, I'm reading through the latest draft of the Security BCP, and noticed something I was hoping to get some clarification on. From the latest draft -14 section 2.1.2:

    In order to avoid these issues, clients SHOULD NOT use the implicit grant (response type "token") or other response types issuing access tokens in the authorization response, unless access token injection in the authorization response is prevented and the aforementioned token leakage vectors are mitigated.

    My understanding is that there is no way to prevent access token injection in the authorization response with just OAuth. It's only once you introduce OpenID Connect that it becomes possible to prevent ID token injection. If my understanding is correct, then it seems like it would be more appropriate for the security BCP to say something like "access tokens MUST NOT be issued via the implicit grant." That would technically still leave open the possibility of using the hybrid response types in OIDC as long as the access token is delivered via the authorization code exchange, but clarifies that there is no way to protect the delivering access tokens via the implicit grant.

    So my question for the list is am I forgetting about some way to prevent this attack in OAuth? If not, can we rephrase this section of the Security BCP to better clarify the intent here?

    Portland, Oregon 47°F
    #oauth #ietf #implicit
  • Singapore (SIN) to Seattle (SEA)
    to
    Singapore Airlines Flight 28
    Seattle (SEA) to Portland (PDX)
    to
    Alaska Flight 2181
    Portland Intl in Portland
    1 mention
    #okta #oauth #ietf #ietf106
    permalink
  • Aaron Parecki
    OH: "at the end of the day, a specification is a programming language designed to run on the worst runtime environment: engineers" @justin__richer #ietf106
    Singapore, Singapore, SGP 81°F
    likes 6 reposts 2 replies
    #oauth #ietf #ietf106
  • IETF 106
    Nov
    16
    Nov
    Nov
    22
    November 16-22, 2019
    7 days
    Raffles City Convention Centre, Singapore
    Singapore SG
    #ietf #oauth
    permalink
  • Portland (PDX) to Los Angeles (LAX)
    to
    Alaska Flight 502
    Los Angeles (LAX) to Singapore (SIN)
    until
    Singapore Airlines Flight 35
    Changi Intl in Singapore
    1 mention
    #okta #oauth #ietf
    permalink
  • IETF 106 Singapore
    Nov
    15
    Nov
    Nov
    23
    November 15-23, 2019
    9 days
    Singapore
    Singapore, Singapore, SGP
    #okta #oauth #ietf
    permalink
  • Montreal (YUL) to Newark (EWR)
    to
    Air Canada Flight 7742
    Newark (EWR) to Portland (PDX)
    to
    United Flight 1572
    Portland Intl in Portland
    1 mention
    #okta #oauth #ietf
    permalink
  • Aaron Parecki
    at Fairmont The Queen Elizabeth
    Montreal, QC, CanadaThu, July 25, 2019 9:35pm
    45.500451 -73.56887
    Back for #IETF Pecha Kucha
    Montreal, QC, Canada
    1 Coin
    #ietf
  • Aaron Parecki
    There’s nothing like sitting in on the #ietf TLS meeting to make you realize how little you actually know about how the internet works
    Montréal, Québec, CAN
    likes 1 repost 2 replies
    #ietf
  • Aaron Parecki
    View from the rooftop party last night at sunset

    ⁣#montreal #sunset #timelapse #motionlapse #ietf105 #ietf
    Montréal, Québec
    likes 3 replies 1 mention
    #montreal #sunset #timelapse #motionlapse #ietf105 #ietf
  • New York (LGA) to Boston (BOS)
    to
    Delta Flight 3036
    Boston (BOS) to Montreal (YUL)
    to
    Air Canada Flight 7553
    Pierre Elliott Trudeau Intl in Montreal
    1 reply 1 mention
    #okta #ietf #oauth
    permalink
  • Portland (PDX) to Newark (EWR)
    to
    United Flight 2248
    Newark (EWR) to Montreal (YUL)
    to
    Air Canada Flight 7741
    Pierre Elliott Trudeau Intl in Montreal
    1 mention
    #okta #oauth #ietf
    permalink
  • IETF 105 Montreal
    Jul
    21
    Jul
    Jul
    26
    July 21-26, 2019
    6 days
    Hotel Fairmont The Queen Elizabeth
    Montréal, Québec, CA
    #okta #ietf #oauth
    permalink
  • Prague (PRG) to London (LHR)
    to
    American Flight 6634
    London (LHR) to Phoenix (PHX)
    to
    American Flight 6198
    Phoenix (PHX) to San Francisco (SFO)
    to
    American Flight 597
    San Francisco Intl in San Francisco
    #okta #oauth #ietf #ietf104
    permalink
  • IETF 104 OAuth Session
    Mar
    28
    March 28, 2019 -
    Hilton Prague
    Praha, Hlavní město Praha, CZE
    #ietf #oauth #okta #ietf104
    permalink
  • Portland (PDX) to Los Angeles (LAX)
    to
    American Flight 6056
    Los Angeles (LAX) to London (LHR)
    until
    American Flight 6185
    London (LHR) to Prague (PRG)
    to
    American Flight 6635
    Ruzyne in Prague
    #okta #oauth #ietf #ietf104
    permalink
  • Mike Jones https://twitter.com/selfissued
    OAuth Device Flow spec renamed to “OAuth 2.0 Device Authorization Grant” http://self-issued.info/?p=1959 #IETF #OAuth @WilliamDenniss
    Portland, Oregon 49°F
    #IETF #OAuth