Internet Engineering Task Force 99, 21 Jul 2017

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF99-OAUTH-20170721-0930

Description

OAUTH meeting session at IETF99
2017/07/21 0930

https://datatracker.ietf.org/meeting/99/proceedings/

A

Okay, here quick.

B

The guys claim that you are first legend I.

B

Missed you guys too,.

C

B

I had another meeting appointment. Was it interesting?

B

You there's no possibility to discuss something. Anybody in such a large group, yeah.

B

William William do I knock your slides for the device bro.

D

We want to achieve.

B

Did you need to click.

E

D

F

All right, good morning, everyone thanks for joining us on Friday morning here to talk here to give a bit of an update about their device for draft. So just a quick word on the status, so we've actually already cleared working.

F

There have been a couple of changes proposed, so I'll go over those changes, but hopefully we can get this thing done pretty soon, so a bit of a recap. First, what is the? What is the device flow device flow? Is authorization flow designed for devices that have internet connection, but maybe they don't have a browser or they only have a very limited input mechanism.

F

In that case, the user will be reviewing the authorization request on a secondary device like a laptop or a smartphone, so how it works. Some like this, the TV app as an example, the TV app, will display a URL that the user will need to visit on their secondary device and a code that they'll need to enter user, then visits that URL on their second device and is the code, and from that point it looks a little bit like regular or from a consent.

F

Point of view, during that the device continues to poll one of the endpoints, the token endpoint, with a with the device code to see if the user has completed their action and if they have completed their action, they'll get back the Refresh token an access token. So it's kind of like the authorization service sort of issued like an authorization code, that's not actually yet valid and at some point in the future it may become valid or may become invalid. It's gonna work all right so on at the important stuff. What changed since 98?

F

The first thing is: we had a fairly lively debate on an if you recall in Chicago on the user code pram. So this was a proposal by James manager from Telstra, and the idea was what, if we could include the user code in the verification URL. So if you're not familiar with the draft, the authorization server responds with a number of different fields in the authorization.

F

Sorry, the verification URL is a separate field to use a code and the intent is that these things are separately consumable. But you know what, if you want to do something like this right? So what if you want to have a QR code- or you know any kind of like non textual transmission of that URL, depending on kind of where you are like I, think I? Think in America people? Don't all really know what QR codes are. So we don't actually see this a lot, but it's kind of a good example.

F

You could replace that with a Bluetooth. It would if you want any any way of transmitting URL. So what we talked about, this was kind of generated, a lot of debate, particularly because I said that actually, my own company's server won't be using this for people like well. Why are you putting in there?

F

The consensus call was that it is worth doing so in the 0-6 update. We did actually document that with some appropriate security considerations.

F

This is an optional enhancement, so it's fairly well interoperable, because the authorization server will still display all the information and we're actually requiring that the client still actually display the two pieces of that information separately. So if the user doesn't know how to process that thing, whatever that may be, they can still sort of fall back into it manually and the authorizations have actually doesn't support that, and the user happens to scan it. They're just gonna end up at that URL and have to type in the code anyway.

F

So it's kind of like the the client, it's completely interoperable in a sense that the client doesn't have to actually rely on the service appointment it can. It can just sort of try it as a best-effort and everything will kind of still work.

F

These are kind of one of the nice things about this. This flow is that it's sort of very fairly durable. What we see a lot of people doing is they might try some more advanced method of pairing, say the TV to the phone. You know, maybe they have their own app installed. So you know you you you might- and this is like out of this spec, but you might like to open up that app and do something and then kind of fall back to to this stand flow.

F

So Justin I think is joining us at 3:00 3:30 in the morning. Apologies he's online at 3:30 in the morning. He posted there's a couple of open questions, at least I'd like to go through and just remember that the draft is sort of beyond working group last call, but so this is the last chance to finalize some of these normative things. So the first thing he suggested was, instead of specifying the user code parameter in in at your old construction.

F

That I mentioned what, if the authorization server has turned a separate parameter so just to be clear. Currently, the authorization server is returning to fields, verification, your I and a user code, and we have normative text to say that you can join them together. Using a URL parameter.

F

Justin provides an alternative which is have three parameters related to this, whether it be like a third kind of optimized URL, so I don't know if Justin, if you're awake, did you have any comments, you'd like to make it this time on that, since it was your idea.

B

Hey Justin go ahead, you can see it all.

G

Right morning, everybody so the basic thought here: William if you could actually go back to your your high definition, TV graphic there. Thank you.

G

So this picture is actually impossible with the current spec, because what you would actually get is example.com, slash device, : user code equals wdg, boobarella, what's etc and yeah that thank you. You would get that on the top line that URL and if you go, go back to the other thing you would. You would get the plain code on the next line and then then, that QR code, so this this picture you, you can't actually get this picture with the current spec ah I think you can actually.

F

Say unless I'm.

G

Anything which is entirely.

F

Possible right, I kept you out because the device authorization employees returning HTTP colon slash slash example, comm device that part as the verification, your I, then it's returning a separate Jason parameter called user code. Without with that value, spec is basically named as an optimization. If you wish- and you want to display that verification- your I non so textually, then you can use a parameter standard, URL parameter that happens to match the key of the jason called user code and pass in the euro. So this basically tells you how to construct this optimized euro.

F

So that's constructed.

G

Client-Side then I correct right that was that was unclear to me even in in reading the new paragraph in six. So let me let me reread that again and I may have some some wording. Changes so see. I thought that this constructor URL was coming from the server.

G

So that's my mistake, but because I garden path on that I'll I'll read through what is that section three three one again and and see if we can armor that a little bit better so that somebody else doesn't do what I thought that you were by investing that we're doing so be.

F

Back yeah great.

G

Okay, fantastic, so I withdraw my my proposal: okay, whatever it was, it's three in the whatever.

F

I hate you for joining his goal on your prices, to see them alright,.

A

Want to make the same suggestion that Justin was originally making for a.

E

A

Different reason- and that is as it stands with just the two parameters you are then requiring the client to do this. Construction of the complete URL you're, requiring that the user code parameter then be standardized. So the client knows what that is: that's putting a bunch of work on the client which historically doesn't always go so well.

A

Additionally, it's limiting flexibility on the part of the the server, because now the the endpoint that receives the user code via query string and the end point that the customer would type that quick user code into have to be the same, which may or may not work out. They may want to use a different URL for the parameterize endpoint, perhaps one that is going to be captured by their mobile app if it is on the device, whereas the simple to enter shortened form of the URL may not be that's a good point. Oh buddy.

B

Something important ah I forgot meeting minute taken.

B

Mike, can you take if you know it's is that possible because you're not presenting today or you have no left.

B

A

Was from Annabel Backman from Amazon Mike for your benefit, yeah.

B

um For the Chavo, can someone take a look at the Chavo room to see what a chest in or or hunts or fill both some questions.

F

It's Friday, yes,.

B

See if someone could I could open the chat you don't give.

B

Right, the chopper.

B

Okay thanks: okay, sorry.

H

So what is the conclusion.

F

Okay well, firstly, to discuss your point: um yeah I think it's a good point. I guess you could potentially two different targets for that. A couple of other things, I thought about in trying to trying to come up with an opinion on this was also an you see, end of a higher entropy code for that magical one so that that could be beneficial in some way.

F

Yeah I, guess I'm. It is why the other thing is that you would actually know that the authorization server supports that um yeah on the flipside. I. Guess it's! You know it's one extra piece, information coming down: yeah I, don't know I just broke both his I complex, like you said in this case, I, think the construction, the URL is very simple, so as much as I would normally agree like. Let's get everything away from the client as possible. I would really hope.

F

People couldn't make a mistake with this bit, but maybe it maybe they would.

A

Url parameter encoding is hard, I mean it's not but yeah harder than we think it is yeah.

F

That's a good point that probably should be added. If we keep the context sofa pill, they didn't quite catch. That D card asked is: is the either a requirement that the existing user code be you're all safe and I'm, not intelligible? We may specify an alphabet for it. We may specify a character range for it. I.

A

Believe, there's a character range required as specified right, which I think is probably URL safe, yeah.

H

I was gonna, say if it's not required. It's certainly highly suggested by the by the character suggested to be easily interpreted.

F

H

F

We've known the authorization server to attack the client, though.

A

There's some kind of weird malformed girl, something in my experience, I've seen with clients implementing our os/2 based services. Is they frequently aren't reading these specs, so yeah I know right yeah, so it's a banking on clients having an understanding of what is in the spec and isn't and and what the actual you know what's reasonable to expect around the values. These parameters isn't necessarily a safe assumption. As far as right, hoping, that's gonna make things easier for them right.

G

Just let me know when I'm.

G

You guys hear me: yes, oh so, oh thank you life, so I to Brian's comment about the character set, suggesting things that are easy to type I want us to keep in mind that that presumes a you know, a us style. You know. Ascii keyboard is as far as things that are quote easy to type.

G

There are lots of keyboards around the world that put lots of non URL, say, characters well within reach, and it might make sense in other contexts to have things that are very easy to recognize and type that would still need to be URL encoded, so Annabelle's point about URL, encoding, I think does have merit.

I

From the microphone suggestion, shucky.

A

Yes, Annabelle back then Amazon reiterating just in suggestion that we have a separate parameter that contains the I guess, clickable URL, that has the code embedded in it. So there's two experiences we're talking about here, one which is the the primary one that Williams presented, that is the customer user types in a URL and then types in a code. The alternative is the automated experience where they engage with the QR code or through some other mechanism. A URL is opened.

A

That already has two code embedded in that have a separate parameter for that URL, so that the client does not have to try and construct it that reduces the amount that we have to standardize on these endpoints cuz. Then we no longer have to standardize a query, string parameter for the the user code and it opens up flexibility for the server to use a different endpoint for that express the code in some other means, or have a higher entropy code that just decouples that from the streamlined four user entry experience.

J

This is Dave Robin I was I, would not wanting to repeat everything she just said, because I think it's great, but one other possible wrinkle here or a use case, is that in this case, where you're presenting the the the type of all URL and they're capable code you're, sending the user to a very ui/ux HTML based server guy, that's serving up human pages, he may in fact be turning around and sending it with a no garbagey code to the back-end server who's actually completing the operation.

J

So with there's some opportunity here to just send them straight to the garbage you got, you know the skipping, the the whole UI server, the one that's got pages and stuff to interact humans in, and so with this option with the QR code, they could scan that go straight to the final representation guy with the the right code and just skip a step skip a server.

K

Waiting for you so nuts, a chimera number as such I support on about idea.

E

K

Mean in one of the the implementation we have entirely off, we actually do sin, your eye, which is good idea as well, as we kind of send sure, called the image itself. Okay, because the tunnel could be really dumb right.

K

I'll just scan you use a code in the text and I, don't quite see the exact constraint and user code. So okay, actually.

F

K

To that point, somebody's point it might be, you know if it's a user call, it might be also a good good idea to you know not to constrain too much right in the sense that, for example, if you're using Japanese form right smartphone, it's actually much easier to type Japanese character them off.

F

Of it so I have a question for you if you could say that for one second, so so do you think that would actually make the most sense, from a user point of view in Japan to have a like a hiragana code or yeah.

K

Okay, that's much easier. Okay,.

F

So we should, we should document it as unicode.

K

Yeah but then that means that, but no exactly that.

L

K

But that means that composability of your eyes, Walter Scott.

M

Their card Amazon, we recently looked at stuff that people could type in across the world and concluded the digits work really well. Okay,.

L

M

That anything, that's a char set. It's like it's confusing with different boards and all kinds of other locales, and so potentially just having a few pure digits cuz. You only got 20 bits now and I lose half the res right. Everybody can notice what a number is. Yeah.

F

I guess that's kind of why we landed on on the imma characters to double the right.

M

But are you buying I mean all you need? Is one more right character, one more thing and.

F

Accuracy like how many, how many numbers do you typically use in such a I, don't know if you're talking to this exact type of flow, but.

M

No, not that exact type of flow, but we as we're choosing things. We realize that numbers are much easier for a number of different types of input. Marian.

K

M

Particularly when you move to voice right, mm-hmm.

K

Good point, so that's a kumara Inara again yeah.

D

K

Fully support if we are just going to number that's you, okay,.

F

I'd, probably rather not do that, because it'll bring our running code out of compliance, but I I think it's an extremely good point. Yeah I mean yeah right.

K

F

Dangerous things with characters, you can accidentally create words which actually happen to us, so we dropped all the fouls so.

K

That's a kumara again! If you really want a high entropy stuff, it's actually kind of good to send down the QR code image yourself. You can climb a lot of deceit right, so the QR code, with the has.

F

A complete URI I got my gear ID to an image which you download and it's the card yeah, so I guess the only drawback with that is that it assumes that a secure code, so this is in my example, was- was the example um I guess. I could see like NFC being another way to represent that that Europe potentially, oh you, you mean, like you, mean like adding another parameter.

K

Yeah I'm the so we're talking about optimizing user experience right right yeah. So if it's targeting the QR codes in the QR code directory, if we are targeting NFC, maybe optimized towards NFC, okay,.

F

Actually have another localized usability question for you, you can st. so so do you see like this actually been successful with QR codes, as per this example in Juba.

K

Well, right- and you know, bunch of ATMs are actually using that even not not even within Japan but, for example, in Singapore, I guess the same in Australia as well. So you know two people doesn't have to carry around a mouse right core right, but just use their phone and.

F

And you think that that parameter should that be additional to the additional parameter, or should that be instead of.

K

That's a good question. Okay, that's really well yeah! That's a good question, but yeah. If it's.

K

Okay, then you know well, you also have to think about I'm not very familiar with the NFC kind of things, but if you think about sending something for the consumption of NFC device and I have to do that, you may need another one. So you might have you might. You might want to have.

N

If the John Bradley yubico, if the device supports NFC just sending a URI over NFC, is actually pretty well understood, that's enough! Yeah.

I

N

Know that you need to send a set unless you're doing something super complicated, just sending the you. If we had a separate URI having the device send that over NFC, you ought not to need another parameter or must be conveniently horribly wrong. So the only question is whether or not devices have a library to create the QR code locally.

A

N

F

That's ridiculous: it doesn't history that could be a remote okay, Jerry yeah, so I guess like as as currently written, even with the even disregarding the decision between the composability or not. The kind of point was like he's this year. All that you can use transmitted. However, you want to transmit URLs, and so I I did like this. It was FET and yeah yeah.

A

To that point, I think if we try and get into tailoring the spec to particular transmission technologies, where we're gonna go down a huge rat hole of never-ending. Do we want to support this? Do you want to support that yeah if we limit the spec to getting the code from the server to the device and give it with it with enough flexibility that the device can then get it to a secondary device through whatever transport makes sense, then I think we're solving the right problem right, yep.

M

A couple things pickhardt again: it's not clear to me where we're really working on Interop right as opposed to this just being a best practice.

M

So as I looked over the doctor wasn't really anything it says like who are when are they two different parties, as opposed to all the same party, but it's all the same party to do whatever they want right, which means? Maybe this is more of a good guideline around how to do it?

M

Well, so people don't do stupid stuff, but is there it might be easier to sort of call it case where it really is requiring they are two independent people right which you know auth is you know there is two different entities that are trying to yeah at the flow. Yes,.

F

I mean Justin I actually did do an interrupt s. He's servin my client written.

M

F

M

It doesn't mean like, like, like a real like yeah, the world instance where the device and the server are from two different players. Yeah.

F

Does that happen? I I am not aware an example that comes to mind. I, guess that doesn't mean there isn't one okay. So so we are.

M

But I'm not sure that it would necessarily work that we would necessarily want to do this because the you know the model here is a very browser web oriented model where the world's moving more and more to a mobile app model right. Look at the youth.

M

The customers aren't gonna, go and pull out their laptop, necessary they're, gonna pull up their phone absolutely are pulling out their phone, then you're really trying to bind the device to potentially an app running on the phone and that the users already authenticated that app right, as opposed to making user authentication to something in the cloud that they don't really other credentials or anything for and so I could see the QR code, helping where you really scan it with a QR code which essentially eventually launches the app on the phone, and so the users already authenticated and randon.

M

Really, the only UX is an approval process by the user right and in that case,.

F

Like you're saying you don't actually need the Interop, you control both sides. No.

M

F

M

Noise- okay, right so in the Alexa world, right, there's many third parties that are putting out devices where you want to enable that third party to make calls into Alexa okay. So we do require some inter out there, although we could just say what to do correct our world yeah. But it would be nicer if it was standardized and was more of a practice, but we would probably want more of a flow like that right, I described in a flow, that's very web oriented I. That.

F

Makes a lot of sense to me um also I presume you may need a fallback in case the user doesn't have the app installed or is using a device not supported by your app it's pretty hard to turn a device up against.

M

X you're, climbing yeah I guess it's.

K

Not a requirement.

M

Just hard right, because they.

F

Definitely exist use case I'm, aware of where, where you may want like an optimized flow, but then you still want the fallback of the browser, so you still want to fall back yeah, but the you.

M

Want the 80% case to work super quickly right right.

F

And actually, one of the cool things you can do with this with this construction here is that you can actually use this as a paring, a visual pairing confirmation code too. So the fact that that data is already there be like the Bluetooth kind of parent.

M

Like you know, Easy's your TV thing, I loaded I scan something, but is it really particularly.

F

Helpful when you're working on the team, it is like hundred of those devices in proximity, but also relevant for Ponson hotels,.

N

John bradley yubico, so I'm influenced by the arguments that having a separate precomposed uri that could have a different endpoint and perhaps different into amount of entropy, then the user type of all one is probably a good idea, given that a lot of this will be either NFC your QR codes to to an app which is I, think they growing or even audio to an app there's a number of different ways. I, don't know that we should add the QR code directly.

N

We may want to leave that as an extension, so that apps could have an introspection endpoint that gets a QR cry from the URI, etc.

N

So I think that you know trying to generically add QR codes or sound files, etc should probably be left as an extension, but I guess. The other thing is that doesn't Google already do this sort of thing with printers there are, you know, Google doesn't yet make printers, but there are printers that use. We.

F

Have Isis absolutely right.

N

So that is the case of a third party client, okay,.

F

Yeah yeah I mean YouTube speakers, customers actually YouTube's app, but yeah right. Okay, no, that's a good point. The printed one is I. Guess I thought you were meaning like with that printed. You know potentially be doing this exact flow to another authorization server as well and well.

N

What we have to do is care about the interrupts where the device manufacturer I ye Epson, isn't there. They even still make printers I, don't know that they're they're not providing the Oh hot server, it's um ready, their personal or some print service, which is offered by Microsoft or Google or whoever right. So we have to think about some of the interrupt things. Oh I can also by making the code numeric for four reasons, at least as a recommendation.

F

All right so I guess I feel like there's sort of two changes that we're proposing here. One is to move to a separate your I as the current optimal one and allowing any character in the user code. But suggesting numbers is that what I'm hearing strongly suggesting numbers.

F

Well, that we may not care about anymore.

M

If you're saying they could kind of make up anything, you still want them to go and make it. You are all safe right.

F

But only only with this proposal, I guess, if we move to the separate your I, then I guess that that doesn't matter anymore. What's that.

M

Your your wanting the client to construct.

N

M

Move away from the Franklin stocking.

N

M

The client would no longer be constructing the URI if.

F

We combine the two proposals right.

M

Yeah I mean I just worried that clients doing stupid stuff of URL encoding something extra and then it breaking so like if you're handing them down to URL. You want it to be a if.

F

Yeah I think if we make it unicode, then I definitely agree. Let's just send a set. A separation, Here I, am a sense. So I don't want to vote on that needle nobody. How this truth do we need a consensus? Call on any of these items? Oh no.

B

F

L

Early age, yeah.

B

F

B

That also sums and like a fairly recent I, don't think we need to okay, like having a euro safe and making recommendation to use numbers like okay,.

F

Who wouldn't alright so I.

B

Think the decision then, unless.

F

Anyone objects.

I

So Mike Jones I, guess an ala bit. I, don't understand this well enough to make a really informed comment, but introducing a second endpoint, that's distinct from the one that's already in the spec seems like a pretty big change to do at this stage. In.

E

I

Yeah, that's the language people have been using is having a separate URL and a separate and white. So what am I confused about? I.

O

Was gonna grow up and say the same. I mean it sounds not to get into the details, but it sounds like a bigger change than a working. Your last call change and you might want to be spend another couple of weeks working with less coal.

N

Something like I believe the suggestion is to add a new parameter which has a pre composed version of the URI which enables the user code to be have higher entropy and be pretty URL encoded, which gets around the problem I. We also need to think about the user displayable user code if we are actually using utf-8. What is the script?

N

There's there's other issues that tend to send specs into a tailspin once you actually attempt to internationalize them in that way, not that I'm, saying it's bad, but just sending you to a utf-8 characters doesn't actually work for everyone, but certainly whatever we do with making the displayed user code internationalized.

N

That immediately leads one to having a separate precomposed, URI I. Believe Ana bio made. The suggestion that if you had a separate URI that you were sending precomposed, you or riot could actually have a different path, but that would be an implementation detail. We're not saying that you need a different endpoint, but as an implementation detail, if you wanted to do if the AAAS wanted to do an optimization, nothing forces it to have exactly the same path. I.

B

Guess we will have to look at the pics to see how this.

F

Could comment on the you gf8 concern because I think we like not to walk away here and have that whole thing blow up so I guess we're not gonna require our clients can display any character they ascend at them. You, the authorization server, would have to use its best judgment for the market. No he's.

N

So the the client needs to know in some way what the script it's supposed to display utf-8 characters in that the server on its own okay,.

I

N

These are actually interoperable separate devices. If you had, you know, I have a Korean printer that knew that it was going to use Korean script that, but as soon as that shipped to South America, that's not gonna work so well, so somehow we are actually allowing international like characters as opposed to numbers.

N

The script needs it's not my fault. I'm, not I, wasn't yeah. I.

F

Yeah, I think dicks idea is looking better by the minute I.

K

Just just said that the utf-8 might be Japanese character would be easier to type that alphabet right in Japanese smartphone keyboard, but I was just asking for something: some cause, some kind of thing, which is reasonable to people to type in and numbers just is it okay, so.

F

Let me let me only see if we, if I get this right well, we're gonna, keep it the same. It's it's numbers and A to Z. At least we don't break my Interop.

E

F

A minute wait, a minute if we're, if we're saying our sending characters.

I

Shouldn't be harmful to your Microsoft. Would.

F

Agree yeah, so let's keep it as is and add in internationalized like usability considerations and suggest numbers as the as that to solve that problem. Annabel.

A

Backman Amazon just to completely bury the utf-8 discussion. They keep in mind that the more complicated the display requirements for the client, the more devices and use cases we exclude from being able to use this. The whole point of device code is that it is usable in scenarios where the device has constrained input and output. So if you're agree, if you're trying to output everything in Unicode, that's gonna be really hard on a really low res LCD display I, agree.

F

I'm right, I'm, sad I'm, sad that we won't be I'd, have a emoji based user code now, but that was a brief for a few brief minutes.

A

That looked possible and then quickly to further address Mike's comment and John is right. That I think we're we're not talking about necessarily a defining a separate endpoint, we're just talking about defining a separate parameter with a URL that may or may not point to a different endpoint and bear in mind that the spec itself says nothing about what those endpoints do. It's very deliberately leaves that up to the a s just as oweth leaves the process of resource owner identification and authorization, and all of that up to the implementers did.

A

But the this spec leaves everything that happens at these endpoints up to the implementers.

O

Alright, later on so so we went from here's a URL type, this in and type in these characters to you know multiple at least two ways you can get, hopefully to the same place as anybody. Don't security analysis on this. Are there any aspect? Is there any security aspects involved in you know two ways that are supposed to take you to the same place. We should we could talk to the security.

B

Research and let them do include.

O

That, in their formal analysis, they like today, I am no idea. I mean I, guess part of the discussion we had at the last idea force that that there are, you know when you, when you present that the like the first generation of this user interface, here's an input box, you know type this right, that's like maybe harder to to confuse or you get confused users over or get wrong. I have no idea. But again, this seems like something crankiest crank this out in a in our last call comment.

O

Dish needs somebody to look at the.

F

Reviewers, it sounds like this change. Will what.

B

We, if we accept the change yeah, we have to look at the text and I think we we definitely have to discuss it on confirm it on a mailing list. So yeah.

E

Whether it would.

B

Be big enough in the end to have another working group. Last call I, don't know, but it shouldn't be a big deal anyway, and then that was not a joke with the security researchers like they, we had this this meeting and they they offered help with some of those activities. So we can, we could yeah yeah I mean.

F

Definitely one of the things I liked about the old way is that it kind of full it sort of falls back very nicely if, if the, if the server didn't understand the ural, it just displays the original you're all anyway, but I guess it shouldn't be sending something it doesn't understand in the revised proposal anyway. So dave.

J

I

Think is a method.

F

Documented 0/6 being the old way.

J

I'm curious to make sure we understand, where we're ending up and where we're going with this, because I think I heard two different things. um One is that if we make the code URL safe, then composition by the client there's no problem, we don't have to worry about. We don't say a lot of things about it, but also, then we have this idea of providing you the complete URL, which requires no composition. So the question is implementations aside. Yeah, are we deprecating what you show on the screen right now?

J

In other words, the code is only for typing into web pages, and the compose URL is only for you know, sending it as a parameter having what you have on the screen now of user code equals that which is composed by the client somehow based on these two P. The first piece is one and two to make this URL. Is that option still on the table other than I mean other?

J

In fact, that implementations are doing it today, perhaps, but if we have option three, if we have parameter three I might make the case that client composition should never be done, and this server parameter of user code equals should never be allowed that it's opaque, because you know I'm that that just that user code equals URL parameter is just not a thing yeah. It's either opaque in case three parameter three or it's never used in one and two you go to one you type yep I do.

F

Agree so we should document one or the other, not both, absolutely and and maybe yeah absolutely.

A

Let's not do both. Let's pick one Annabel Backman Amazon, the security considerations point there is text in version zero. Six of the draft that brings up remote fishing concerns around the composed URL, so that the current draft does actually address the or at least raised the risk of increased ability to trick the user when you're not forcing them to type in a code that they see on a screen, so I encourage anyone, who's, who's, interested or concerned about that risk.

A

To review this back and take a look at that language and see if there, if you have any concerns beyond what's address there.

A

No, it's it's. It's more guidance for the authorization server around making sure that the experience they present through that composed URL still gives the the end user. The ability to detect that phishing might be going on yeah. um It yeah it kind of raises the bar necessary for that experience. Basically, yeah.

F

And comment on phishing I guess like one of the things that we were trying to establish is basically are you setting up a device and use that device currently in your possession? That was sort of the the challenge that we were trying to answer, and so, when were think about like what UI to show, we really think of asking that question. Like is the device in front of you and is a display nice coat. You know to try and mitigate that you know might be the draft Lucy.

P

Lynch, just a process thing, Honus I think these are enough changes that it's breaking for last call and it you would have to last quick again since fine. Thank you all.

F

Right we do it. There is another another open question, so let me let me go this say: yeah we added some ascii diagrams. That's so good justin pointed out that, after discussion, at least that, while it's a polling protocol, there is no actual requirement. You have to pull at it. There's no requirement. You pull that anymore. You can follow a slower interval. You can wait for user interaction to initiate a a poll that would look more like a single request.

F

Okay, so there is another another. Last me of talking a little proposed after one group last call- and this was an interesting one, because they were kind of three people it kind of came up with it all the same time. Well, the same time and an edit. This question.

I

um At least for the minutes in the working group, what is motivating people to want to make these changes? Now? I really don't understand what these are for. I wasn't what we have fine I guess.

F

I, don't really know what they might've sup, but I I'm, assuming that I was the one grab. Last call that triggered some last minute reviews. It's maybe.

B

Miss perfect fine to provide these comments at this stage, even at the idea of passports, so I don't think I'm.

I

Not questioning process I'm, asking from an engineering perspective, why do people want to do it differently than it's already specified? I, don't understand.

B

I

B

I, don't think they wanted to definitely. My sense is more like people and I've seen this in other environments, since we are further along in the process. People look at this and found out that they can actually use this document to cover some of the use cases. Specifically some of the IOD use cases, and it's actually experienced that myself in the healthcare space some people look at it, isn't that I. Actually, this is what I want.

M

Their card Amazon I mean we started looking at this and started looking at where we're going, and then we saw some of the issues, particularly of characters, vs. digits.

F

Okay, so they, the other kind of major change that was proposed, is is relate to this fact that you may have multiple device. Is that our actual the same so take, for example, a Roku device? If you have say two TVs, you may have two Roku's both authorizing to YouTube or or however, and both would actually the same client ID, and so the reason proposed around ok.

F

So if they both have the same client, ID and the user say loses upgrades or souls or stolen or something if one of those devices is gone, how do they revoke just that one device and as written the the spec is, doesn't really provide any help to the authorization server to provide a good, revoke experience? I guess you could look at when the token was last used, but that probably doesn't help a hollow someone bought it off you and is continuing to use it. So this this is an edition.

F

It doesn't really change the actual protocol at all. It just passes a little bit more information about the device to the authorization server it to allow the authorization server to store this information. These three fields associated with the grant the motivation is, is for revoking. So let me give you an example: with the with the Roku, the device ID would be a unique ID of the Roku. The purpose to revive that is so that that device can be represented as a single entity for revocation.

F

So you could have multiple apps from the same authorization server with one click. The user could revoke that entire device. The second is the model just so that you know.

F

Hopefully this is available to the app they can just like kind of query like what am I running on like oh, it's, an Xbox 360 is Xbox, one or whatever, which may actually have the same client ID depending on on the implementation, and then the final is- and you know this week- extremely optional- they're all optional, but this would be the most optional it's kind of like. Does it have my secretary name, if so past that as well? So then you can imagine this revoke experience or it's a William.

F

You know you have a chromecast and a Roku and another rogue or something, and it's like living room. Roku- and you can kind of just revoke that and and yeah.

A

Annabelle vacuum and Amazon this problem doesn't seem unique to the device flow to me. It would equally apply to a native apps running on mobile devices, where you do have rich user input and you are potentially entering credentials right on the device, so this spec does not feel like the right place to solve this problem. Yeah.

F

Absolutely right that any native app has the same problem and justin has a spec from 2010 to sell you.

F

Yes, so he can't had this idea all those years ago, I hadn't actually seen that tool. Until recently, we kind of came up with this to try and solve that revocation experience. There was another contribution on the list as well. It was similar. I will point out that the device authorization endpoint is, strictly speaking, a different endpoint.

F

So while we for better or worse reuse, some parameter names across the two endpoints I and given this in working group last call just from a well about to be again from a kind of process, point of view I think we could document this here.

F

If this was an acceptable pen and I mean if we really wanted to, we could review these names and maybe not call it device, but I, guess I, don't disagree, I, guess I'm, just not sure exactly like how do we solve it like now for the device for you and given, we would actually need to document it separately.

F

It doesn't matter I, guess, I, I,.

A

Think if we end up with two different ways to do the same thing, that creates a lot of confusion for for implementers.

A

My other concern here is that if we are overly prescriptive about what pieces of information we're asking for for device identification, we run the risk of ruling out use cases where right, potentially, we need more than just these three pieces of information that we've identified here that work for the cases. People are immediately familiar with. Okay, two.

F

Points about that, so what when is our optional? So, for example, like I know, there are some device that may not have an ID, so don't send it. You know it's. It's still useful from a UX perspective to know the name of the device.

F

You can still perhaps do some useful things around that, particularly it has a name that could be unique and the user kind of differentiate, even if even if there's no like, even if you can't correlate the different grants in order to revoke the device and ones yeah on the other point was the other point.

B

William I think this issue came up in Chicago already like in a question of like what are we actually identifying in terms of client in there I had the impression that we also talked a little bit more about our more extended functionality than just having some parameters that are obviously non cryptographic. So one could argue that maybe you actually want to do some form of authentication potentially at the station that stuff you have been proposing in a different context.

B

That would actually be appropriate here as well, because those are those are parameters you use them for revocation, but you actually, as the title says, you may actually use the mouse for authorization. I.

F

Mean that's not as not as.

B

F

B

Use them here now because they're just physics, unless you could the device which is big.

F

I guess I guess I should get your other point to that you know. Maybe these aren't enough premise. My hope is add. You know if there is a common minimum set, that we think a lot of devices need. You know if you drop reasons, let's, let's document that column unit of Z, I guess not trying to capture the every possible field ever but I mean I.

F

I do have a very specific use case and a reason for including these for potentially including these parameters like I mean honestly I, don't really mind if it doesn't get included. This is something that you can always don't miss separately. You can say like hey if you're talking to Google like won't, you just add these, and then we can give you as abetik, revocation experience.I.

F

We have a use case for this I think it's a reasonable use case. So I'm keen here any others I, don't personally I, haven't actually personally seen the attestation or anything like that in the wild, but I guess.

F

B

Attestation is obviously on the sort of more extreme and in the middle that would be some form a cryptographic form of this, and- and this is sort of like on the on the on the on the other extreme. It's basically some parameters that the device can easily sort of free flow right: okay, I, just I, don't really have.

F

M

Proposal, bed, hey I, do depart so the device IDs problematic because if you're just declaring it there's no binding time, that's not enough attestation right, you're, trying to say I'm a particular device and yeah.

E

M

Could do that the other two are useful from a UX and and because users not going to know whether it's the right device ID thing easily or anything right. So what you're trying to do is is it in the authorization on the web app or whatever app the user is when they're deciding whether they want to enable this device? Is you can be showing the model and the name as part of that to sort of complete the flow of? Am I authorizing the device?

M

That's showing me display here, and so the device would show here's the model. Here's the name to help circulate complete that and so that, later on, when you want to revoke it, you know it's the right one, but also it helps you from knowing you're authorizing the right one. Okay, yeah.

F

So they do I studied suggestion is just as acro mobile ID for revocation just so you can you it's not.

E

Meant to be for her to use.

F

For the authorization service they can present like a yeah, they can just group the grants together. Do you see a security issue with potentially like? Do you see you know if someone faked I agree that it's fake of also dude, you know he's a bad effect goes like group together understand.

M

F

M

That the values around users, so the values.

F

Are let's say the one authorization set has two apps say like YouTube, Google, Play, Music, right and so I have two devices. You know living room, Chrome, car Roku and like bedroom, Roku and then rather having like four four things displayed on for. Revocation we could just have to, for example, write could just be okay, you have the living room, Roku and the bedroom Erica. If you revoke one of them, it revoked both grants so just knowing, which are different, clients right, which are different client IDs. Instead of knowing all.

M

Right, babies for those who have a separate device name from the user experience may.

F

Or may not, that could be both wolves record all.

A

Of this is happening at the authorization server side. There's no reason for the device to be passing this information and the authorization server could just assign a surrogate ID to each of those authorizations. Yep.

F

But in that example, I gave, you would then have four discreet authorizations. Two times two, you wouldn't be out of group them I.

A

See: okay, yeah! That's.

F

A

F

A

F

That's why this one exists.

M

Or essentially remove all the things from a particular device because assuming the device will provide the same idea all the time Hey.

F

Yeah sure Mia, if it doesn't it's useless so yeah, it's just just to conceptualize all the grants and group them so that that's the purpose of one of ID and then the other to it. Regarding.

A

Model and name they do introduce a potential phishing risk if the authorization server is not validating those against a whitelist associated with the client ID and if you're, requiring the authorization server to do that, I'm, not sure how much value it then, having the client provide this information, but.

B

Really it really gives you just used client ID, because in this case you have one client ID, but then use it on on many different devices. So you wouldn't you wouldn't necessarily know, or you could definitely not know the device name or the authorization. So it wouldn't be able to infer the device name just from the client ID, because if you have the app running on thousands of millions, I'm.

A

More concerned about device model: okay, because if you're, if you're, displaying that to the user and telling them hey, you're, registering a Roku three, but the client ID that's being provided is for some other device.

F

A

You know you so yeah.

F

Just to comment of the the last one first, so you said: what is the value of the client providing this information I would say. One of the value is that assuming legitimately provide information. Is that every vacation? You know if I just see some random things. What's that I can't be bought racing I'm gonna revoke it right if it says hey, this is like your Roku. Don't Rover! You know this.

F

Is euro car make the ID I, don't know revoke that so best of ov, the client providing it's an optional parameter, but if they provide it they're at less risk of getting revoked.

A

I'm not trying to endorse right goodbye.

E

A

More concerned about a malicious party using.

F

Association requests to put up a prompt.

A

That's saying I'm authorizing my Roku 3 when I'm actually authorizing yes to is.

B

The fact that those parameters are essentially rentable and they are not cryptographic, okay right, two.

F

Comments on it. Firstly, if we add this, let's make sure we do have that security consideration. That's a great point. A lot of the thinking I was doing around this was revocation but you're talking about consent, yeah, I think from a concern point of view. I agree you, you might wanna have a whitelist, so here's one possible implementation is not not wouldn't be normative, but you could have say like a known list of ten um that way: you're, not just rendering random attacker provider text button.

F

Let's say it's like Xbox I think you know the U badge of that is when I said before is like one of the main questions. We're asking trying to prevent against phishing is: is this your device and is it in your possession right now being able to say it? Is this your Xbox? Now, if that was from a whitelist of ten I I, don't particularly see how replacing this device with Xbox would be bad.

F

I, definitely see replacing this device with random hacker provided text would be bad, so, okay, yeah I, think you make a good point. Yeah, there's.

A

Security considerations text is good. I go back to the kind of earlier points about implementers and clients, not always reading the spec, so he should weigh the value of you.

E

A

That specified in the request versus derived on the authorization server side from a client ID versus the way, the convenience of that versus the risk of people doing it wrong right. Okay,.

M

Maybe it is in the dock and I, don't remember it, but there's a number of uses of this. It isn't asleep clear to everybody. Some people view that the device there's only one thing on the device, but the model is that there could actually be a bunch of other apps running on the device, and so the device knows who it is but rap is trying to install and boot up.

M

You know so it's you know you're trying to enable Netflix on your Roku right which, as opposed to just enabling the device right, you may want to call that out, because it may not be obvious to everybody. Okay, yeah thanks at that point, now it's deadly true and then sometimes people are just trying to revoke the service as opposed to across all devices and sometimes they're, trying to revoke the device right and all the surfaces. Aren't it right so.

F

I think we doubt we have this. It would always be revoking the service across all your devices without the ID. Okay,.

F

You know there's almost funny cuz, actually I guess I didn't include this in the earlier drops, but we had actually go. I actually documented this. You know as it proposal internally like a bunch bunch of months ago, so so.

N

Curious Cala people, John and Bradley from yubico, so before Lucy gets up to throw this particular cold. Water I'll beat her to it that device ID is actually a correlative all identifiers and many device manufacturers go to great lengths to prevent different apps on the same device from knowing that they're on the same device. So there's going to have to be some significant amount of security considerations. I'm minded to privacy considerations. I minded to separate this from the spec. That's about to go into last call.

N

This probably needs to be its own spec and consider what how this relates both to mobile devices, mobile devices, limited display devices and attestations, etc. I think this is its own fairly large ball of wax I. Think that trying to stick this into the device back at the last minute is going to cause the whole thing to blow up in iesg review, with all sorts of just she's already got a list of discusses that would completely tie us up, so I would say, don't fall into that. Let's not fall into that hole.

N

Let's get the device spec done and consider this as part of a separate add-on.

H

Brian Campbell.

F

Well, are you have you for John to speak for you or be interested to hear your points if you having to, if you're, happy to let John nurse before you, then.

P

If you're going through a full security audit, again, I think.

E

You're, at least.

P

A year out again on this document, if you want that, that's one way to go I think you could drive a truck through this okay.

E

F

Guess in defense of these three parameters, they're, not they're, not trying to be anything more than just self client asserted. You know unencrypted unvalidated. You know, revocation hits as I think.

B

F

B

That you've brought this up. I could.

F

B

Underscore hit on all because I think the the context of of this document sort of makes the whole topic more under standard rather than I'm talking about in the abstract. That's why we hadn't had this that discussion before.

E

So it was a good good that.

B

You raised it, but clearly, as as you can see, we can all see. We need a little bit more discussion on this and then we need to make a decision on. Is this a separate effort, or is this something in there or are we actually doing something completely different? I I, don't know Lucy yeah.

P

You mentioned several issues like multiple devices renaming, revocation, all of which are extremely complex, to manage to add that at last call in the spec is that can help okay.

B

But I, don't I I think we shouldn't get hung up on the last call. So we thought that, like coming from the last night yet meeting with that, we are done, but often the last call is away for people to look at it and actually raise things. So last call is not always the last call, so so I think this is it's as good as any other time to raise these issues so Justin, yes, Justin.

C

G

So a couple of things about that one. Actually, this this loops back into Mike's question earlier of you know: why are people bringing up all these things now and part of it- is that this spec has sat kind of pseudo stable and dormant for years, so people have actually been implementing this for a really long time in non-standard, but mostly kind of compatible ways, and so now that it's finally going through the standardization process, people are starting to pay attention to a wait.

G

Does this actually fit the use case that we've been deploying for five years?

G

So that's where some of this stuff is shaky now we are also really seeing a bend in the curve of adoption of sort of alternate modality devices which first devices IOT devices, and things like that where this stuff kind of does make sense, and in addition, we do have some interesting use cases like the one I posted about on the list from one of my clients, where you know this, this mode really does make sense, but it's only very recently that this kind of stuff has been coming up.

G

So this is the right time for, for all of this, to get hammered out and I. Think that's why we're seeing that all that said everything I'm hearing is that this stuff belongs in a separate spec I threw a link to just such a spec into the chat just now, because I don't know, I thought it was a good idea back in 2010 and in in any event, I agree with the sentiment that that this really should kind of live in its own space, because what Annabel said is also true.

G

This applies to more than just the device flip, so we're not just talking about device ID in my original spec I called an instance identification because I was thinking more in terms of like I think it was dick was saying like public clients and a bunch of other things.

G

This has applicability beyond other things and, as has been brought up, it's a big ball of wax, so I I am with the thing with the sentiment that it is too much to try to just slip this in here at the last minute, because we can do this in a standardized way across multiple flows that does address all of the security and privacy and other considerations as a separate document.

B

Justin, can you post a document that you mentioned to the mailing list, write it in to some child.

G

Actually, it's it's on the thread. That's discussing this.

I

The minutes, what's that perhaps a.

G

E

G

Roth instance: zero, zero.

F

Thanks Jesse, no, your yeah.

F

I'm inclined to agree I guess I'll be working like the native apps stuff for a while, and we definitely saw the same problem there. So if you'd, like any help, you know reviving that doc. I'd be very willing.

H

That's Brian from ping. This may be mood at this point, but I've had just one comment about the device ID that may be still useful. It seemed to be a lot of concerns and about the stability, verifiability and privacy concerns of the device ID.

H

When what I'm hearing is there's a very specific use case for using it to group, authorized apps for the same authorization server system from the same device, we right I understand, but maybe it could maybe this the same sort of things could be accomplished with just some sort of model, or name or nickname or nickname hat giving up the group ability used.

H

But if you think about like my Roku I I'm authorized with yeah with YouTube and Pandora and Netflix, and so and those are different services, so there's no even physical way to there's no way to group those anyway. I have to go to the different things, so maybe within a single service having to give up that particular grouping is, is a worthwhile in terms of avoiding some of the other issues. He said.

I

Maybe we could accomplish this with what.

F

Did you say maybe maybe the group he is not.

H

Just want to hear what he said: maybe the grouping functionality could be dropped.

H

In favor of just a name hint, you know what was the thing you were proposing. Basically, just drop in device. I got from this, and and I was using different names like Kent. Just yeah, maybe alleviate other fears, but but really just taking the device idea in the grouping. Out of it might be a way to accomplish more or less the same usability functionality with one small loss and maybe getting rid of a lot of the concerns around privacy. Yeah.

F

Just what one bit of feedback on that, the only things I guess, I sort of see that users mostly visualize their their equipment as devices not as like YouTube on my Roku and like play music on my Roku I. Think the mental model is more like hey I'm, like you know, I don't want my Roku anymore. Here it is Brian.

F

You take it, but I better go in and like to leave my account from it and I think I think that Mandal model does suited, but yeah I agree, you're, saying it's a trade-off and maybe it's just not worth with a cost to say just yeah absolutely well. Maybe we should consider that, with with the with also.

B

Look a little bit of a time ago. Yes,.

F

B

Discussion you in any way, but alright I can.

F

Get through the rest in 30 seconds so so.

M

Just to reiterate brands comic because you all you need is a locally scoped identifier. You need, you, don't need a globally scoped identifier. The global one is the problematic one. Absolute.

F

Absolutely and and I think the the locally second one is preferred for a privacy point. I agree. So it's like a publisher device right.

N

It's probably needs to be pairwise in the way that we're doing other things pairwise and may relate to some of the stuff that we're doing around logout so or token, revocation, etc, because it really is by whoever's doing the authorization. So the.

I

N

Or there may be other things that are more appropriate than a device ID, which is why pulling it back and looking at it yeah my broader perspective, okay,.

F

Well, I mean I'm sensing, a fairly consensus, at least to look at that as an option in the.

J

F

Right all right, well glad we had the discussion. Let me just wrap this up.

E

F

Are no more new changes to propose so just to go over to run encode did an update. Google's a s is actually now a hundred percent spec compliant with the zero six version. Three we had. There was like one difference since IETF, 98 and I. Don't think we invalidate that today, so, let's hope not miter, ID I believe 1.3 should be released. Now, since it was that's, we get released in Chicago, that's another and this one's an open source implementation. On the server side, we have also an open source client implementation.

F

The plan is to move this into the Apple project, which, once it's actually Saturdays and just and I, did some interrupts between the two so yeah. There we go and I think we've done putting.

B

You know fairness, there's a couple of other open source implementations. Oh right,.

F

Yeah I'm not trying to uh not try to exclude any so I guess. If, yes, please.

B

Great yeah well.

F

And send them through the list, because I'm not sure if I, if I have that list I would definitely quit in the slides. If I did all right thanks. Everyone I really appreciate the discussion.

H

All right, Oh token exchange been out there for a while, in fact, I think it was the last time in Prague that I came, but it heads with Mike a little bit of trying to reverse the direction of this, and we came to some compromises to move forward which which were done shortly thereafter, and that was about two years ago, so yeah. Here we are that's a picture from last time, we're in Prague next slide. Please so I try to give a little bit of context, even though it's been around for a long time.

H

Just for people aren't totally familiar with it a reminder- and this is a slide of one specific use case- that's available with token exchange. Token exchange is an extension to OAuth that allows for basically arbitrary exchange of tokens. Some client doesn't matter who it is, how the token needs to get a different token for some other context of use and token exchange is just a framework to facilitate that.

H

One particular use case that we hear a lot is a client in sub-zero obtains a regular old auth token, through whatever flow device flow authorization code, though it doesn't matter, it gets won through a normal offload. It has it and it sends it in step. 1 the resource server through a normal. You know, RFC 6750 request would be the resource server received that, but it needs to get a new token, with similar content suitable for a back-end service that it has. So it does in steps 2, & 3.

H

It does a token exchange here, Sansa token up to the authorization server in exchange for it for a different token that is suitable to send to the back-end server and then passes that along just as an authorization token as well. This isn't the only use case, but it's one. That's that's enabled by it by this protocol and is pretty common. So these these two spec encompass senator kokkonen, get it took them back now, there's some other concepts in there.

H

You can send two tokens which allow for you to express types of delegation and so forth, but but it's hard, it's really just exchange a token or two. For another token, that can be used in a different context.

H

These are these. The wire examples here are actually examples from the first part of the specification. If you all look in detail at at but I'm just.

A

H

To give a little bit of context, because the next slide doesn't have a lot of context, just the status update, so draft 9 of this was published earlier in July, with pretty small changes which were addressing working group last call feedback and I do highlight here that these were addressing. What I feel like are actionable and meaningful working group last call feedback.

H

There was one set of comments from someone that has made a lot of other comments on this, and other specifications that are are not necessarily meaningful or actionable and I've addressed them to the best extent that I can but I. Don't think that there's anything additional that can be done, I don't think he represents any sort of consensus, opinion and I further.

B

A little bit early thought that myself, we we look carefully a kiss called.

E

He would like us to beat.

B

Him to see, because sometimes for some also for some, you comers and he hasn't been acted under in the group directly, so it may be. It's sometimes be a language issue. It's like a terminology.

H

Language etc, attitude. It's certainly possible just for what it's worth he's been active in a number of other groups which um consistent behavior, but the things that we have changed based on that changed. One word from a non normative can to may just to try to clarify things that was actually a result of his feedback added a statement clarifying that the validity of the subject, token or actor token.

H

The tokens you send in their validity has no bearing on the validity of the token that's been returned outside of the context of the exchange, so they have to be valid when you exchange, but there's no correlation implied thereafter. So once you have a new token, it's it's it's decoupled.

H

From the original token, that's always been the intent in the case where there was some wording out last call feedback that asked to clarify that we did change one error code from a may use in a certain context: around requested resources being inappropriate or unable to fulfill I had a May in there, which I it should have been a should I.

H

Think in retrospect, I think it was just a careless wording at the time, so we tightened it up a little bit clarified text, it's the same, normative stuff about using non identity claims within the Act claim and then being meaningless so that you shouldn't use them there and I added a little bit of privacy considerations.

H

Actually I stole some wording from from ws-trust to sort of be all encompassing about the privacy considerations of this use, because it's very difficult to cover them all, but I wanted to address some feedback that those were missing and and provide a little bit of a little bit of guidance or at least awareness of the privacy considerations involved. So those are the changes that have been made, they're all relatively minor, as I said so yeah next steps next up series, I'm pending your review of the other feedback and discussions with with people.

H

I would ask that we transition this to waiting for write up and/or moving forward, and this is a photograph of a busker.

H

I'm not exactly sure what I meant by it, but it feels a little bit like the state of this draft sort of like waiting and boredom, but with some sort of impending danger of this giant snake around his neck at the same time. But it was probably lated I like photos, and so you can. You can interpret that how you will.

B

Good idea any immediate comments on this document, or are you guys? Are you guys good you're? A working group last call as we decided at the last IDF meeting, the band was to wrap this up and and ship. It.

B

Okay, all right.

H

I've went a lot better than Williams no Williams.

H

You never know.

B

Yeah only this minor changes only editorial changes.

H

All right, the other, the other presentation I have today has a very similar title and I get confused typing in URLs and end up with the wrong one all the time, but this is off to two combining we have another photograph from Prague the last time we were here because that's what I want to do so try to set a little context here without getting too deep into it. This this draft is intended to provide an OAuth to you proof of possession mechanism.

H

We talked a lot about the value of proof of possession on Monday I, believe it was in terms of what what that can bring you in terms of preventing issues with lost or stolen access tokens. So this is a one mechanism to provide that proof of possession and defeat. You know, play or replay inadvertent play by the wrong party of lost or stolen tokens and OAuth context, and that that includes access, tokens, refresh tokens and authorization codes.

H

Next, please so current status here, jumping out of the context into the weeds on the token binding working group documents, there's three of them: GLS negotiation, the protocol itself, the message format and how it all applies to HTTP are all very, very close to being submitted to the ISP for publication. As my understanding is that they're waiting for the working group chair go ahead and or the Shepherd right off. If any of you know the chairs of that work, I can't quite recall who they are.

H

Perhaps you could encourage them to continue that work, I believe they're, also Sri cently, some NIT fixes on the drafts, which are very minor but important in.

H

Any way they are in a relative, relatively good state and and very very close. So that's good in this draft that token Bonnie draft four of that was published also early in July, apparently I did it. On the same day, there's some very minor editorial fixes more clearly defined how to convey the token binding information of an access token. In an oauth2 token, introspection response.

H

This itself was is very similar to the work that was done in the NLCS bit around around token introspection, all catalyze from a comment that Justin made at the last last IETF meeting, which was that there was a lot of assumptions being made about how this would work with introspection that were not clearly stated in the document.

H

So this just just calls them out very explicitly and as a part of all this, there is now an introspection request, introspection response, parameter, request registration to ion are being made in the OAuth M TLS specification, which sort of broadly encompasses all of this and is applicable here because we're using the confirmation method as well. My expectation is that that document will progress more quickly than this document.

H

So I put the registration request there and then removed an open issue related to that and again just clarified exactly how that would work um and I also added a long rambling open issue about the need to allow for a web server based client to opt out of having refresh tokens bound, while still allowing for access tokens themselves to be bound.

H

I'll talk a little bit about that on the next slide, so getting into open issues in the document I'm defined the conventional wisdom here about having a lot of text on a slide, mostly because I wasn't sure how to narrow all this stuff down to a slide, and it's meant more for me too. As a reminder of what to talk about, you get a picture excellent.

H

So one of the open questions has been there from the beginning is what should we do in the case that a refresh request for a token bound access, token is received, but the Refresh token itself was not token bound. That's a it's a fair question. It leads into the next question if I won't read the whole thing, but it's about web server clients so tow combining at its core is developed for use cases where there are many.

H

Many many different clients, web browsers native applications on phones and it's a nice way to sort of dynamically, create additional trust and bind tokens from those individual devices. When it's brought into the OAuth fold, there are different kinds of clients and one of those clients is is potentially a web server.

H

uh You know, Facebook from its web servers acting as a client calling services at Amazon and token binding of a refresh token in that context, is a significant issue, because those web server clients are likely distributed across many different nodes, very likely geographically distributed across different data centers.

H

Maybe even different cloud providers hosting them and shared access to a private key is oftentimes cumbersome impossible in such environments, and this is all before we get to the question of what token binding client-side API is are going to look like, and my expectation is that what is already a very cumbersome, sometimes impossible problem will not be made any easier by the api's that are provided around token binding, because they're really meant to be they're, not ephemeral, keys, but they're, they're, sort of on demand generated, client-side keys that adapting those api is to be able to also securely store private keys and share them with the entire set of your clustered applications.

H

Is it it's not gonna happen? I think there will be a small subset of implementations that could figure out how to do it. They will be in the vast minority and I think.

H

If we don't address this problem, it will severely hinder the adoption of token binding in this context, and the real value of tow combining in this context is to bind the access hook, it's to prevent them from being misused or replayed in other contexts where, when we have the Refresh token is already bound to the client credentials established with the web server client oftentimes.

H

Yes, that is a client secret, but those are long, long, client, secret strings and we also have stronger forms of client authentication that a comp that can accomplish similar similar benefits like mutual TLS. So I'm I'm strongly advocating the need for some kind of solution here.

H

I see two possible approaches and one is to toggle the behavior based on some kind of client metadata, so metadata client registration metadata isn't required, but it's often used and even when it's not used, it strongly suggests a model for client registration data, even with with providers that do static registration, and we could put some stronger text around that, but a way for individual clients at registration, those that have client credentials established private clients to say please do not bind refresh tokens for me, even though I would like access tokens bound and then the the way that access tokens are bound are by presenting the token binding information at runtime, which includes the provider and referral combining I.

H

Think, that's probably the the most straightforward solution. It's easily implementable, easily understood the metadata parameters already largely exists, so I think it would be just some some wording around their usage and some normative language about Bom right now, they're just sort of suggested of and indicated, and they could be enhanced a little bit to say in these. In this case we're you know this indication is false. The authorization server should not took combined refresh tokens getting back to the rebinding.

H

The refresh tokens to just sort of further complicate the one of the main problems is the only way to request token by an access. Token is through the presentation of the sec token binding header after negotiating token binding and including a referred token binding in that and the only in in order to do that by definition aspect, you also have to provide a provided token binding. So there's no way to make that request without providing the data.

H

That's right now in the standard said to be used for both for binding, both refresh and access tokens and yeah I'm. Sorry that was a bit of a diversion but sort of missing that before the other potential solution. Here right, yes,.

I

Mcjones Microsoft I just like to say that I think that the metadata approach is very reasonable and I really don't want to think about what are the security and threat implications of providing a rundown way to disable the security feature I.

H

Think that's a fair and reasonable criticism of the option that I had not yet presented so I guess: I did sort of allude to it but way to look into the future. We did discuss this a little bit yesterday to try to clarify our own thinking about it. The other option would be.

H

Allow would be to allow for some sort of parameter on the token endpoint request for the client to express the token binding ID that it would like the access tokens to be bound to it could do that without negotiating token binding without providing the provider token binding, which would then mean that the the authorization server would have no way to bind the Refresh token, but it would have data sufficient to find the access tokens. I was I was kind of liking.

H

This approach for a while I think there may be other simplifications of client-side API is that it allows for I actually think the security implications are okay in this context.

H

But having said all that, I think that the metadata solution is is more straightforward, easier to implement and solves, addresses the immediate problem and doesn't open up any potential security issues that I I'm, not aware of, even though I think it's okay and continues to use consistent behavior around around how to' combining is conveyed and verified and so forth at the at the token binding for HTTP layer.

H

So at this stage, I'm inclined to suggest request that the the next revision of the document include addressing actually both of these issues based on client metadata, because the client metadata can also take care of the understanding or at least clarifying what to do in cases where access to and refreshed, okay, don't have the same binding information.

N

John Bradley yubico I vote for option, 1 I think option. 2 has a couple of decomposable points: I, don't a runtime switching is going to cause problems. There may be other reasons to have token binding, negotiated on that TLS connection.

N

I think there is a separate issue lurking in there, whether or not we need a separate parameter for for being able to express the referred token binding, separate from the referred token binding in the token binding header, but I think that's kind of a separate issue, so I think dealing with an in metadata saying it's: okay with sufficiently strong client authentication, because in principle you want to authenticate the client.

N

If it's a server, we could direct people to use a sign jot or or other stronger mechanism, so they're, not passive, using HTTP basic and passing them. The that, on the on the line, so I think we can give good advice about using mutual TLS sign, jots, etc. In combination with token binding for the for the access tokens, I think we still need to have a just a discussion point on whether or not in these clustered environments. It's actually reasonable. That the token binding API that's provided can get the refer token binding from another node.

N

Or can we should we be saying yes, the node that it's going to use? The access token has to be the node. That's used getting a refresh token, so there's more discussion that needs to happen on that particular I.

H

N

H

It is separable from here so I think, leaning towards metadata.

F

William, yes, I, don't know if he explicitly called this out so I just wanted to ask: is this only for confidential clients I, don't think I.

L

Explicitly called it out, but.

H

F

So, okay, thanks for the clarification.

L

F

Yeah cuz I, guess like a native app, for example, doesn't have that its own only is it not a convention, but it's also shouldn't be distributed. So that's right.

E

F

Probably falls in the category of hey, you really should token buying the Refresh tokens, yes and secondly, I guess like I, do we want Iran to be using two combining for OAuth eventually so, ideally yeah I guess the only risk I would see is like you know. If we all have too many people to opt-out of too many things and then I just like it's too hot I, don't implement it.

F

So I, don't know if you have any thoughts on how to encourage you know people are still buying their access tokens, even if they click the opt-out box. For, for the Refresh token,.

H

I hadn't thought about it so much in in that context, more the other side of it that I felt like not providing this opt-out would de facto mean that people won't be able to enter a minute so but I think some. There may be some guidance or wording around this that that helps address or alleviate those rights issues like.

F

For example, could you see a world where refreshed recombining like potentially, where refresh token binding, is optional, but access to combining could be compulsory like for a particular ization, Center and I'm, saying like in five years, but like yeah? Is that a post like um from from DS design, yeah I, think so.

N

John Bradley again, so we do have the mutual TLS option and in some cases mutual TLS for access tokens might better fit somebody's deployment use case, I wouldn't say, maybe mandatory proof of possession access tokens. There may be more than one mechanism for doing that. He did say in in the context of a particular authorization. Server might very well well, but even in particular, authorization server might might, but.

H

You could yeah so.

N

We don't want to be overly prescriptive, but I mean the concern. I. Think at the moment is the only way for somebody to turn off being broken because they have a cluster and by default, the Refresh tokens are being token bound would be to disable token binding on their calls to the to the token endpoint which mean that they can't do access tokens, talk them down to access tokens, so this at least allows somebody to have that to be able to do talk about access tokens without without token binding. The Refresh token correct.

N

So this is a first step, not necessarily agree.

F

William Dennis, just to clarify I, wasn't saying that we should be prescriptive in that sense, but just that a particular authorization server itself could say for us access token token. Money is mandatory still even with this sort of real like say, even if they implement these minute of it, yeah I think so.

H

All right great next one, it's a little better, um a couple, more openness, open issues. One is a question of whether the scope of this document should include some kind of standardization or at least guidance on using token binding, with client, authentication and or authorization from yeah. The 75 23, which is the client, authentication and authorization draft in in some ways. I feel like this is easily inferred from the existence of the confirmation claim how it's used and would be using this. You know in this context.

H

In other ways it might be useful to just say something about it here, because I think it is particularly for client authentication. It's maybe a really nice useful security enhancement mechanism, but right now it's not in there and it would it's sort of left up to the imagination or an exercise to.

N

The reader John- yes, we should write it down because it's only self-evident to us using the confirmation claim in a self-signed jot for client authentication if formal economist to space. Yes, it is actually just self-evident to us you're right.

H

The the scope of people to whom it's self-evident is probably relatively small um as a co-author in.

B

The document, what specifically you want to like, give us a short summary of what you would like to like that.

H

Since John's in favor, I'd love for him to write it down. But since I know that.

E

H

It would be a it would be hey it's probably a small subsection of the document that describes how one would use the confirmation claim, with the tbh token binding, hash confirmation method inside of it in the context of the JA client authentication,.

H

Not again not real, controversial yeah, looking forward to see it there, okay, yeah and then this was this is all sort of related, but the metadata needs some work. The main problem, I, think, is that there's a reference to the OAuth to protected resource metadata, which is not a ongoing draft, so we've got a kind of a hanging dead reference I think it needs to be removed and some some clarity about what canon cannot actually be inferred at runtime from the metadata values and what can be enforced should be added there.

H

This has been sort of an ongoing reminder to myself that it exists as well as a hope that mike the look, the original text would go back and fix it. Although we we chat a little bit about this yesterday and in the context of a similar problem with the open ID connect layer, so combining spec that has similar issues and I believe I believe I have some ideas, basically about a roadmap about how to how to keep the same intent, remove the hanging reference and clarify the text in a meaningful way.

H

So I think we're good on that, and certainly anything that's written will be another draft and available for review I. So it's on my list to do like I said these were just listing the openness.

B

What, if what do you so be a little bit more precise? What do you want to do there, like you, want to remove that reference and that reference in.

H

That particular metadata field are gonna, go away, and there will be the text around what's currently there of detecting attacks. What to do in cases where bound tokens are expected, but not received we'll be just reworded to clarify what what what is and isn't possible and perhaps provide some guidance on what to do.

H

Alright next slide, please so just looking ahead. Hopefully the the core underlying token binding documents progressed RFC here pretty soon I know. Andre is looking forward to that. Not even though he's not listening right now, work through these open issues, I think I've a way forward for a lot of them. So that's good. We definitely need implementation, experience and feedback here. There's there's growing implementation experience in tow combining in general, but most of the client-side implementation is currently in the browser.

H

So we haven't seen like client-side widely available libraries, yet server sides also questionable, but coming along. So this is still early. I think there's a lot of room to learn and work from there, but it's progress and then get the band back together, again: I 100 and in Singapore and here's a John Belushi impersonator, just uh just to help you get the band back together or get in the mood for.

M

It that's all I've got dick Hart Amazon in the current token binding it. It are both access tokens we're not really dealing with a TLS proxy around. How do we push that proof of possession all the way through to the application and preserving that integrity?

M

Is that viewed out of scope for this document, or is that in scope, I.

H

Would view that, as out of scope for this document, because it prescribes how it's done with OAuth, um there is a document that was just accepted as a working group item. In the token binding working group that describes how to convey the information from the TLS terminating layer as a reverse proxy convey the token binding information that was verified to any applications in the backend which would allow them to to do what's implied by the the auth layer.

M

Which is trust in the TLS layer around what doing yes right yep so that doesn't provide the same security characteristics of other proof of possession mechanisms that go from client directly to the application? That's correct! So is there not interested in doing I, mean I, consider it an OAuth problem. It's a proof of possession type token we're trying to go and add proof of possession in 200 auth to flow of witches.

M

You know protocol works at the application layer as to how do we get that signal uncompromised and securely all the way to the application layer, so you're saying that you don't consider that being scope for OAuth the token bindings? Really, how do I move this? It's.

B

Bound for all of us, but it's not as cool for this document. Okay, okay,.

H

Yeah I mean the it's in scope, it's on scope for this document and that the technical solutions right now I'll rely on some kind of established trust between the TLS terminator and the application. And that's that's the work that's going on, but.

B

You could argue from that, for example, the document that justin has been working on with HTTP signing is such an application layer pop approach, but it's the right one or not is a separate story, but you that's.

H

True, so this is a this is a TLS layer, binding approach and yeah.

E

H

With everything that comes in with that.

B

If that makes sense to you, yeah.

M

I think you know: Microsoft had something internally that they were using around. How today move that continued the signal, all the way through to the application mm-hmm did.

B

You do you want to speak up, we.

I

Do but I don't know the mechanism well enough to speak about it at this time. Okay,.

H

And just from a technical perspective, I, it's I, don't know of a way to do it. That is tightly bound because it's it's bound to the TLS connection between the client and that TLS termination, so everything how it happens behind that is simply moving signals, but not not something tighter than that and if there's a practical but.

M

Wait the verifications happening at the application layer, that's correct, and so, if the GLS proxy doesn't know the currently the tokens opaque I mean not okay, if it's visible and so I think the Microsoft solution was they're encrypting the token. So then the proxy wasn't able to go and see what was the ekm. In the token.

M

E

Well, I, don't know, I mean we're not go.

H

Appa blah there.

M

Are okay, so nobody nobody's won. You guys considered out of scope for this back and to nobody has a clear idea about how to solve it. Yep I would.

H

Say that's true, but to be fair, I'm, not sure you clearly articulated the problem so.

D

Yes, I mean you're talking.

M

Look the problem is, is that the TLS Terminator is in a different trust domain than the application. Okay,.

E

M

It that we trust, we trust the thing to terminate TLS, but we don't necessarily trust it for managing the tokens. Okay, then, that I I.

H

Don't that's certainly not in scope for this document. I, don't think, there's a viable technical solution using token binding I could be wrong, but.

M

So for anybody running in AWS, right, they're having to trust the terminator, if they're sitting behind it, yeah- which they do now on lots of our deployments, don't, but they give it their private key. What's that, but they provide it with their private key right. Well, they trust them. They trust the TLS terminated to manage TLS, but they don't trust the Terminator to manage the token or manage the authentication authorization.

M

So so in AWS, you know, API calls that don't see before which gives you an and proof of possession, okay, which you know, transit, fine through a TLS proxy, and so ideally, we would like to use something was more standard, but it doesn't have that the token binding and access token look. What you're proposing doesn't solve our problem and give us similar security characteristics around what we already have a ciggy for: okay, I'm, not.

H

Familiar with that, I would encourage you to look at what's being done. In the token mining group.

M

H

On the other side of it, I'm hopeful that systems like Amazon's, application-layer load-balancing will deploy what's being proposed and tow combining right now. So you can enable your customers applications to do tow, combining both of cookies and OAuth access tokens and other things like that.

H

H

Think we're talking about different problems now or at least in a different context,.

N

So there John, Bradley yubico, so I did attempt to extract the information from the devil the other day about what Microsoft is doing for office 365 native apps, and there is some notion that there is an additional token binding ID, which is added to the token binding header which he's generated by the native app that is signing over some piece of material, which is the goat. She aided from the thing behind the proxy to the app itself and I, asked the devil to have.

N

His minions, provide us with said information, but it is potentially a chip. It's not something that would work front with a with browsers as deployed. It may be something that's secretly in Microsoft's library, I, don't know. Since he's. Looking he's looking at you're, looking at me like like I'm, crazy, which is probably because the devil is full of lies, so.

E

D

N

Is potentially something there we don't I, don't understand it enough to be able to.

L

N

It down or adequately explain it so perhaps if more information can be provided to this working group in the token binding working group, we can understand why Mike wants additional token binding IDs passed through and all of the other sort of intertwined issues sure sounds like an.

H

Oauth eager.

N

To meet back down, but.

H

Hey so some kind of signing or application layer piece would would provide it. It's not token binding and, just to reiterate, like we can't write standards based on unknown individual deployments, we have to build them on other standards so that that's the context with I'm working in here so.

Q

Under a pop of Microsoft, trying to speak of the devil or and a half so I'm not not entirely familiar with what was just sad right so, like I know what the implementation of token binding looks like in Windows is I worked in bad, it's just an implementation of the standard where we build messages where we're allowed the caller to specify what type of binding they want to do. So, basically, that's what we have you know on top of that, how a specific system uses that I, don't really know you know.

Q

It's can't comment on that. I would be surprised if there was a solution that provided the end-to-end token binding validation of the type that was just discussed, because that doesn't make a lot of sense to me. If you are, if you're terminating TLS at the TLS terminator. That's where end-to-end ends, you see what I mean the terminator. If you don't trust your TLS terminator, you know it can inject requests. You can, you know, do all sorts of bad things. You know you can.

Q

You can have an architecture where the backend server actually verifies it or combining by having the TLS Terminator pass. The ETM and the you know token binding message to the backend, but it's still not really, you know and to enter the application, because, again, you're still trusting that your TLS Terminator is passing the correct information to you. So I'm.

B

Not aware of what that's, actually, we discussed this in the context of the proof possession work in ours, and we had this write that which we need to update at the architecture document that talks about these different ends and in these different nuances and which.

E

B

Had, for example, this HTTP signing solution specifically to deal exactly with the fact that things terminate in different places, and so you have different ends in that in that communication.

B

Yes, you all know we ran into some issues with the HTTP signing, but and people have entertained other ideas, and maybe maybe there's there different layers on what some of the deployments want to provide in terms of security guarantees, but I think it's definitely in scope of our work. We just have to come up with ideas on how to best solve it and that had had been a problem in the past. We didn't make sort of rock-solid decisions and then move that forward.

B

But there are documents out there that at least say something, but.

R

I'm not gonna I thought I had something intelligent to contribute, but I don't think, but.

B

H

R

Sorry this is Dirk from Google, I guess, dick I. Then it sounds like you already have a proof of possession thing going with your particular authentication protocol that you're using so you're good right. What what's the question.

M

Jacquard Amazon, we have a what I would consider a proprietary mechanism that we call sig v4, which is how API calls a need of us are made, and so that works, but it's non-standard, so we would prefer I would prefer moving to a more standard model that worked across the internet as opposed to us having a model that works really well for us. But.

B

It wasn't working, would you elaborate a little bit on how your solution looks like because I'm not familiar with it.

M

So Sigma there's a secret. You sign a request and then that you, you sign the request, you sign everything and then that's verified at the application layer. So.

B

Are you essentially saying is, is it an HTTP based signing mechanism or is it like a JSON based protecting some sort of constructing and a request token, if you will it's more HTTP base, I'm essentially signing the.

M

B

M

Okay yeah, so it's just that which is enough proof of possession mechanism. Sure right does.

B

That relate somehow to what Justin had written up I. Don't.

M

M

But it prevents compromised TLS proxy from changing your request.

B

G

At the when I was writing the initial HTTP signing thing. I did look at the AWS solution and a few others there's a I believe it's cabbage or carriage I forget his last name. There's another specification out there and one of the issues with a lot of those is that they presume that the HTTP message itself doesn't get transformed, and that was a problem that I personally ran into a lot of with OAuth 1 implementations, with parameters getting reordered and added and stuff like that. So that's why my my version differs.

G

That's that's really the main difference between the one that I had proposed, and these other ones which say effectively, you know, take the HTTP message.

G

You know as as presented and do your signature on that on both ends and my understanding with the AWS side is that there's there's just a lot tighter control over. You know where you get access to at the application layer, the HTTP bits and so yeah I'm. Definitely I was aware of that. It is related in the sense that they are solving a lot of the same problems in similar ways, but there are some different considerations in play.

B

But I hear that we sort of have an action item for Dicky to look at the current, actually HTTP signing working group document which I believe it's expired. That's why you you couldn't find it under on the page data tracker page, so I think that would be a useful step and figure out whether that's actually solves the issue that you're having. How does that sound.

G

Right and if people wanted to have a you know a mode of that, one that just signs the pristine HTTP request that should be easily doable so yeah. So.

M

The build iron token vine. What was that.

B

Nia so Nick said that it doesn't lay on top of Bill combining oh.

G

Yeah, a player there, they're orthogonal, you could apply.

G

You could have a token bound to the procession access token, where you're signing the HTTP requests at the a player and you're also doing token you're binding the token to the TLS Channel. You could do both.

M

Well, that's the feature that I like about finding. Is it you're not having to do client management of a key right? So that's that's one of the downsides of sig before is that you're having to go and manage a secret over with the client token binding enables you to get many of the characteristics of proof of possession without actually having to do key management and the client about?

M

How do you get the key to a client so I, like the kit that characteristic a token binding, but then wanted all the security features we still had and proof of possession all the way through to the application.

B

Okay, um I wonder like what would be a reasonable next step on that issue is not it's not totally obvious to me, but uh maybe you can still have a look at the document and see, but you you'd be big because you want you want to you want o confining. You don't want to have it at the epic public up to the application you don't want to. You want to have a standardized. You don't want to have to manage keys in the client, so.

H

You still have to manage keys in the client. You don't have to distribute keys to the client. It's just a little which I.

A

Understand is the hardest.

G

It's hardware to service a hard.

H

Part, it sounds like you're asking for a HTTP level. Signature with the toe combining key know.

B

H

Yeah, maybe that sounds conceptually like what you're looking for, which is.

M

I, don't know whether it's possible, but I mean we. We were we like the idea of token binding right, but, and we like the idea around not having to do management around distribution of keys. We have a mechanism that works now. That gives us a lot of very powerful characteristics that enabled our customers not to be worried when there was compromises on the TLS staff, so we're reluctant to not continue to have that, and you know so I'm just phrasing that you know we're interested in solution like that.

M

I, don't necessarily know exactly how, if you saw up so I was trying to figure out where there is in scope for this particular document, because this has many of the right characteristics it just doesn't deal with. Tls proxies, which is most of all our our deployments are have a TLS proxy. So.

H

Yeah, so the answer is: it's not currently in scope: okay, there's workaround TLS proxies that is in scope, but does not address. The OAuth does not address your specific concern, which is not unique to OAuth, which is fine.

B

But but I think the the issue needs to be around Tomas, because we are talking about doing the application layer, yeah.

M

I know an API access mechanism and no authors primarily, but the issue described is also.

H

Applicable to to normal use cases to talk them about cookies, that, if you trust in the TLS Terminator in that context, is exactly the same thing, but.

M

H

M

Cookie world there's no other mechanism right that the TLS is passing the cookie, and that is your existing prescient model wherein an API access. What's that yeah right, but.

H

Token bindings giving tools to address that in a standardized mechanism and those are being worked on so for cookies, sure and for no. But you know just the same issues exists with cookies, like there's.

M

Not a magic I'm saying in cookies, there's there's, there's no binding of the whole request and the cookie from the browser all the way down right, so you've had you're not losing anything and moving to token binding. That's.

H

Also true in Oh F, so you're referencing your proprietary solution and and wondering why the standard doesn't address and saying that we're losing wondering why.

M

I'm saying you would like to be able to move up to that level of security characteristics about. We have.

H

M

H

Requests, I, don't think it's applicable.

B

Here but but we need to, we can still discuss it and I think I think it.

H

Sounds like something.

B

Having said that, you may have noticed that I disconnected my laptop meaning that we I believe we actually done over time already. So, thanks for.

E

Showing up Mike.

B

Took meeting minutes so we'll distribute them and yeah. Thank you all for showing up and and contributing to the work.