IETF
oauth@jabber.ietf.org
Monday, November 7, 2022< ^ >
Meetecho has set the subject to: OAuth at IETF113
Room Configuration
Room Occupants

GMT+0
[09:20:06] <zulipbot> (Kai Lehmann) just so you know, there seems to ba a hot mic on stream :)
[09:22:48] <zulipbot> (Kai Lehmann) yes
[09:23:01] <zulipbot> (Tobias Schnizler) yes
[09:52:22] <zulipbot> (George Fletcher) My vote is for making it optional but verifying it if it is sent.
[09:53:33] <zulipbot> (George Fletcher) +1 to what Aaron said
[10:51:09] <zulipbot> (Kai Lehmann) Does it matter how the encoder works? Both sides see the same string in the end
[10:51:25] <zulipbot> (David Waite) The edge cases are nasty - Unicode normalizations for instance differ by version and by locale (e.g. do you get a "TW" flag)
[10:52:06] <zulipbot> (David Waite) well thats grapheme representation; the locale specific normalizations are very limited
[10:57:50] <zulipbot> (Benjamin Schwartz) Clearly we just need a hash function over the space of Unicode codepoints
[11:01:43] <zulipbot> (Kai Lehmann) How about sending it not as JSON encoded string, but as base64 encoded JWT bodies?
[11:06:29] <zulipbot> (George Fletcher) A test suite of sd-jwts that libraries must be able to handle seems like a good idea especially since the validation and verification can be done offline
[11:08:54] <zulipbot> (Orie Steele) Since JCS was mentioned, https://datatracker.ietf.org/doc/html/rfc8785
[11:19:15] <zulipbot> (David Waite) FWIW I don't know if JCS would be appropriate (even ignoring the larger concerns) because it requires a JCS-compatible parser to prevent the text issue mentioned. There's no guarantee that an existing JWT implementation will happen to have a JSON library that meets JCS's additional requirements
[11:26:28] <zulipbot> (Orie Steele) Agreed, I see the proposal to restrict the set of supported claims as being somewhat similar... Basically  what the issuer commits to is what the verifier needs to get... How that happens, with hardening or canonicalization needs to be agreed to... And any agreement that tunnels JSON through strings or restricts JSON to make is safer to process will need to be agreed to.
[11:30:39] <zulipbot> (George Fletcher) In UMA [https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html] Section 3.2.1 UMA defines a WWW-Authenticate parameter for the as_uri
[11:33:26] <zulipbot> (Pieter Kasselman) +1 o John's comment on security concerns
[11:34:12] <zulipbot> (Pieter Kasselman) Another concern is that it may be a very attractive social engineering attack vector
[11:34:32] <zulipbot> (Pieter Kasselman) Attackers can abuse this to change context and mislead users
[11:34:48] <zulipbot> (David Waite) the other missing piece added since then is the resource request parameter on the token endpoint. This means that the AS can judge whether the request should be allowed, with asterisks.
[11:35:01] <zulipbot> (George Fletcher) Didn't we do PoP for cookies with token-binding? =P
[15:40:57] zulipbot leaves the room
[15:42:40] zulipbot joins the room
[15:42:44] zulipbot leaves the room
[15:47:50] zulipbot joins the room