[Openid-specs-igov] Wrapping up iGov OAuth 2.0 Profile

Dr. Kelley W Burgin kburgin at mitre.org
Thu Jul 18 19:14:25 UTC 2024


Dear iGov contributors,

During the last iGov WG call June 25, I volunteered, along with Tom Clancy, to serve as editor for the next iGov Implementers Draft. We also discussed the timeline and requirements for publishing an Implementer’s Draft this Fall to meet the needs of iGov stakeholders.

As a part of that timeline, I’d like to wrap up the remaining OAuth 2.0 Profile Issues at the July 23 meeting. I realize the IETF meetings are next week, but the iGov meeting will occur before any IETF meetings on Tuesday. Then I’d like to wrap up the OpenID Connect profile at the August 20 iGov WG meeting.

Tom and I marked the remaining Issues (listed below) for the iGov OAuth 2.0 profile with BLOCKER to track them. OAuth 2.0 Profile Issues<https://bitbucket.org/openid/igov/issues?status=new&status=open&status=submitted&is_spam=%21spam&priority=blocker>

#10<https://bitbucket.org/openid/igov/issues/10> Change parameters from OIDC (nonce) to OAuth parameters in examples?
#14<https://bitbucket.org/openid/igov/issues/14> Require JWTs and Introspection?
        See Section 3.2.1. JWTs are required.
        Vague wording around Introspection – is introspection required by RS on every request?
#15<https://bitbucket.org/openid/igov/issues/15> Is the RS supposed to use Introspection on every request? (similar to Issue #14)
#17<https://bitbucket.org/openid/igov/issues/17> Move section on Authorization Response (Section 3.3) before section on RS interactions (Section 3.2)?
#18<https://bitbucket.org/openid/igov/issues/18> Why does token lifetime depend on client type?
        “For public clients access tokens SHOULD have a valid lifetime no greater than fifteen minutes”
#27<https://bitbucket.org/openid/igov/issues/27> Add best practices documents as references: RFC8725 and RFC9068
#32<https://bitbucket.org/openid/igov/issues/32> Require request object signature?
The issue claims protection against the attack in (with what Daniel calls “Stronger Attacker Model”)
https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/
#34<https://bitbucket.org/openid/igov/issues/34> Add DNSSEC Considerations section?
#35<https://bitbucket.org/openid/igov/issues/35> Add Privacy Considerations section?
#38<https://bitbucket.org/openid/igov/issues/38> Add “Each RS can only trust tokens from a single Authorization Server”?
        Provides protection from authorization server mix-up attacks.
#43<https://bitbucket.org/openid/igov/issues/43> Add “Clients MUST use a unique redirect URI for each logical authorization server”?
        Provides protection from authorization server mix-up attacks.

Hope to see you at the WG meeting next week.

Regards,
Kelley


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-igov/attachments/20240718/455e8050/attachment-0001.html>


More information about the Openid-specs-igov mailing list