**Session Date/Time:** 25 Jul 2023 16:30 ```markdown # oauth ## Summary The OAuth working group held its first of three meetings, covering a range of topics from selective disclosure for JWTs to resource server metadata and cross-device flows. There was discussion of potential normative changes to the cross-device flow BCP, attestation, and identity programs at the IETF. Several action items were identified, including reviewing existing documents and contributing to the working group's efforts. ## Key Discussion Points * **SD Jot (Selective Disclosure for JWT):** * Discussion on simplifying terminology and clarifying the relationship between elements in the underbar SD array and disclosures. * Concern about revealing private information in array disclosures and the need for guidance on using decoys to obscure the number of redacted elements. * Feedback that the current syntax for array element selective disclosure looks like a hack. * General confusion on how SD Jot works for newcomers to the standard. * **OAuth for Browser-Based Apps:** * Minor updates since the last meeting, primarily editorial and updating references. * Discussion about the risk of exfiltrating browser-generated non-exportable keys from the file system. * Agreement to start a working group last call. * **OAuth 2.1:** * Significant changes to bring OAuth 2.1 and the Security BCP back in sync. * The `redirect_uri` parameter is no longer part of the token endpoint request. * Need to add a description of how OAuth 2.1 uses the form-encoded syntax. * Request for an HTTP working group review to ensure adherence to HTTP standards. * Discussion on whether a security BCP's explicit prohibition of course calls at the authorization endpoint conflicts with other response modes. * **Resource Server Metadata:** * Consolidated the resource metadata and authorization server discovery drafts. * Addresses use cases where clients dynamically connect to resource and authorization servers without pre-established relationships. * Discussion on whether the WWW-Authenticate response should ever return a resource identifier at a different host and potential phishing risks. * Concerns over the intended consumer of the resource metadata, i.e., client or authorization server. * **Cross-Device Flow:** * Addresses social engineering exploits targeting cross-device flows (cross-device consent phishing). * Updated terminology for describing different types of cross-device flows. * Discussion of whether to introduce normative requirements to provide clearer guidance for implementers. * Formal analysis of the device authorization grant by researchers from the University of Stuttgart. * Collaboration with Royal Holloway University of London on UX guidance for cross-device flows. * **Attestation in DCR (Dynamic Client Registration):** * Discussion on using attestation to improve dynamic client registration. * Examination of using attestation in client authentication or as a separate, reusable layer. * Considerations for workflow identity use cases and different client deployments. * Inspiration taken from workload identity and Spiffy concepts. ## Decisions and Action Items * **SD Jot:** * Clarify the relationship between the elements in underbar SD and disclosures (ACTION: Christina and Brian). * Consider providing guidance on using decoys. (ACTION: Christina and Brian) * Dick to write up suggestions for improving array syntax (ACTION: Dick) * Dick to provide more intro material on how SD Jot works (ACTION: Dick) * **OAuth for Browser-Based Apps:** * Begin working group last call (ACTION: Chairs). * **OAuth 2.1:** * Request review from the HTTP working group (ACTION: Aaron). * Attendees to contact Roman regarding assistance getting an HTTP WG review. * Attendees to contact Mike Jones to review list to look for potential conflicts. (ACTION: Dimitri) * Mike Jones and Aaron to provide assistance for clarification (ACTION: Mike Jones and Aaron). * **Resource Server Metadata:** * Solicit working group members to review the document. * Call for adoption after reviews. * Mike Jones to consult with a Santiago and talk to John Bennett to mitigate problems with redirecting elsewhere. (ACTION: Mike Jones) * **Cross-Device Flow:** * Adopt normative text in the document (ACTION: Peter). * Peter to investigate updating formal analysis section (ACTION: Peter). * Consider UX improvements to the document (ACTION: Peter). * Peter to evaluate issues prior to starting group last call. (ACTION: Peter) * Chairs to start working group last call, if possible, before IETF 118. * **Attestation in DCR:** * Schedule a call in August to discuss attestation technologies (ACTION: Hannes, Tobias, Ori, Choe, Peter). * Aaron will share previous talk and slides on attestation. (ACTION: Aaron) ## Next Steps * Mailing list discussions to continue on open issues. * Working group members to review drafts and provide feedback. * Address the action items and prepare for future meetings. * Schedule call to discuss at attestation in August. --- **Session Date/Time:** 26 Jul 2023 16:30 # oauth ## Summary This OAuth working group meeting covered several important topics: embedding tokens in other tokens (Decart), transaction tokens (George), cross-domain identity (Peter), and updates on OAuth for first-party native apps (Aaron). The discussions centered around use cases, security considerations, potential standardization efforts, and alternative approaches. ## Key Discussion Points * **Jot Embedded Tokens (Decart):** * Discussed use cases for embedding tokens, including aggregating claims from multiple issuers and propagating context through a chain of services. * Examined three approaches: (1) allowing custom claims, (2) defining a generic container with a type field, and (3) having a container with a token list. * Addressed security concerns regarding potential misuse of embedded tokens. * Discussed whether a container should be specified and guidance provided, including best practices. * **Transaction Tokens (George):** * Presented transaction tokens as a mechanism to create internal authorization tokens tied to a specific transaction, improving security and reducing latency in microservice architectures. * Discussed the structure of transaction tokens, including a subject identifier and authorization context. * Explored potential integration with security event tokens (SETs) and the use of RAR structures to get embedded in the transaction token. * Addressed the need for a protocol element to obtain transaction tokens. * **Cross-Domain Identity (Peter):** * Addressed the challenge of maintaining identity and authorization information across multiple trust domains. * Proposed a three-step process involving token exchange and assertion frameworks to facilitate cross-domain identity. * Discussed the need for mapping subject identifiers and handling selective disclosure and down scoping of claims. * Identified open issues, including limiting formats to JWT tokens and transcribing claims. * Whether there should be an additional profile for token exchange. * **1st Party Native Apps (Aaron):** * Addressed the tension between secure OAuth practices and the desired user experience in first-party native apps. * Proposed a new "authorization challenge endpoint" to mirror the web-based authorization code flow while allowing proprietary authentication flows. * Discussed the benefits of reusing the token endpoint for token issuance. * Addressed the use of the new endpoint and when to use it over current best practices, as well as when it would be appropriate to breakout to a browser. * Discussed device sessions, and potential alternatives. ## Decisions and Action Items * **Jot Embedded Tokens:** The authors will rework the document for approach 1, focus on how to embed tokens, look into the protocol and whether it should be pulled out. * **Transaction Tokens:** Explore integration with SET. * **1st Party Native Apps:** * The authors will incorporate feedback and continue discussions. * John and Aaron will arrange a call regarding an update for the BCP. ## Next Steps * Authors to revise drafts based on meeting feedback. * Further discussions on the mailing list regarding specific design choices. * Explore outreach options with other relevant working groups. --- **Session Date/Time:** 28 Jul 2023 16:30 # OAuth Working Group - Meeting Minutes ## Summary This meeting covered several key topics related to OAuth security and verifiable credentials. Presentations were given on European Digital Identity Wallets, SD-JWT based Verifiable Credentials, JWT/CWT status lists for token revocation, and attestation-based client authentication. The main themes included improving security and privacy in OAuth flows, especially for public clients, and exploring the use of verifiable credentials in various applications. The meeting concluded with discussions on the scope and future direction of the working group in relation to verifiable credentials. ## Key Discussion Points * **European Digital Identity Wallets:** Paolo presented an overview of the European Digital Identity Wallet initiative, highlighting the parallel development of regulations, technical specifications, wallet implementation, and pilot projects. The discussion focused on the need for standardization to ensure interoperability and security. * **SD-JWT Based Verifiable Credentials:** Oliver Thiago presented SD-JWT VCs, a profile of SD-JWTs for verifiable credentials. The discussion covered the benefits of SD-JWT VCs for selective disclosure and high-security use cases, as well as the rationale for not basing them on the W3C verifiable credential data model. * **JWT/CWT Status Lists:** Tobias Looker presented a draft on JWT and CWT representations of status lists for token revocation. The discussion addressed the scalability, privacy, and caching requirements for such a mechanism. Concerns were raised about the similarities to CRLs and OCSP, as well as the handling of permanently revoked tokens. * **Attestation-Based Client Authentication:** Frank showed an attestation based Client Authentication, which would solve missing features to existing methods. Discussion revolved around applying it to public clients for better authentication. ## Decisions and Action Items * **SD-JWT VC Adoption:** A straw poll indicated support for adopting the SD-JWT VC draft as a working group document. * **JWT/CWT Status List Adoption:** There was broad support for this document, with some comments on scalability and privacy considerations. The group agreed to take it to the mailing list for official consideration. * **Charter Review:** The working group will discuss a possible rechartering or the creation of a new working group dedicated to verifiable credentials. ## Next Steps * The chairs will discuss the possibility of a rechartering for the OAuth working group or the formation of a new working group focused on verifiable credentials with the ADs. * The SD-JWT VC and JWT/CWT Status List drafts will be submitted to the mailing list for adoption as working group documents. * The working group will schedule a virtual meeting to discuss the charter and future direction.