Re: [Ace] [EXTERNAL] RE: Access token question
Jim Schaad <ietf@augustcellars.com> Mon, 24 February 2020 17:04 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF9943A0986 for <ace@ietfa.amsl.com>; Mon, 24 Feb 2020 09:04:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.798
X-Spam-Level:
X-Spam-Status: No, score=-1.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61FWRlXsQsT4 for <ace@ietfa.amsl.com>; Mon, 24 Feb 2020 09:04:44 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EF273A0DC0 for <ace@ietf.org>; Mon, 24 Feb 2020 09:04:43 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 24 Feb 2020 09:04:05 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Francesca Palombini' <francesca.palombini@ericsson.com>, 'Mike Jones' <Michael.Jones@microsoft.com>, 'Seitz Ludwig' <ludwig.seitz@combitech.se>
CC: 'Ace Wg' <ace@ietf.org>
References: <C233BD01-B46E-458A-A9B0-E1FB03E82C67@ericsson.com> <00da01d5e8da$7ce45130$76acf390$@augustcellars.com> <DM6PR00MB068296640E3FC5A119328C10F5120@DM6PR00MB0682.namprd00.prod.outlook.com> <D7ED6308-E621-476E-8C4A-17B10F5E7356@ericsson.com>
In-Reply-To: <D7ED6308-E621-476E-8C4A-17B10F5E7356@ericsson.com>
Date: Mon, 24 Feb 2020 09:04:02 -0800
Message-ID: <01a201d5eb34$6c2d42f0$4487c8d0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_01A3_01D5EAF1.5E0CE920"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQE2kOYab9UqhopwEMpdnLZbx5Q6WgHomLlhAczfMxUBakNrZalARC7A
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/5cD_hE1_nMqFvwBL6xHZYeMXMP8>
Subject: Re: [Ace] [EXTERNAL] RE: Access token question
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 17:04:48 -0000
I have found that I had to put a scope encoding format into my database for each audience definition. Just saying that the scope is CBOR is not going to be sufficient, just like saying that it is a text string is not enough. For the text string side you have: * It is a text string * It is a text string with space separated values * It is a text string with space separated values and each value has an underscore which separates operation and resource (MQTT) On the binary side you have: * The proposal from Carsten that has not get adopted anywhere yet. * The group communication format (roughly based on the above format) There is a question about how all of the binary values are going to work if you do a JSON encoded request rather than a CBOR encoded request. At the moment, I am assuming that the binary value is encoded (in CBOR) and then base64url encoded and placed in the JSON. I am not sure if people are going to want to define this as being native JSON instead depending on how the fields of the binary format are encoded. Given all of this, I don’t know if adding something to the framework is going to be generally useful or not. So much of what a scope looks like is going to be application dependent. With any luck we are going to be able to get a good set of scope definitions at some point in the near future and can produce a survey document. I am not holding my breath on this yet. Jim From: Francesca Palombini <francesca.palombini@ericsson.com> Sent: Sunday, February 23, 2020 11:55 PM To: Mike Jones <Michael.Jones@microsoft.com>; Jim Schaad <ietf@augustcellars.com>; 'Seitz Ludwig' <ludwig.seitz@combitech.se> Cc: 'Ace Wg' <ace@ietf.org> Subject: Re: [EXTERNAL] RE: Access token question Thanks all! Section 8.13 of the framework is exactly what I was looking for, I don’t know how I did not see it. A bit surprised there is no text referencing it in the framework itself. Also, about the “scope” claim registration: the claim description and the specification document give 2 different pointers. The claim description ref points to the description for JWT (JSON string etc), I think this should be adapted to using CBOR (writing a section in the ACE framework, which could then reference both pointers). Also minor, I would add the precise section of 6749 we should look at, which I assume is 3.3. Francesca From: Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com> > Date: Friday, 21 February 2020 at 19:45 To: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> >, Francesca Palombini <francesca.palombini@ericsson.com>, 'Seitz Ludwig' <ludwig.seitz@combitech.se <mailto:ludwig.seitz@combitech.se> > Cc: Ace Wg <ace@ietf.org <mailto:ace@ietf.org> > Subject: RE: [EXTERNAL] RE: Access token question And https://tools.ietf.org/html/rfc8693#section-7.4, which registers “scope” at https://www.iana.org/assignments/jwt/jwt.xhtml. -- Mike From: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> > Sent: Friday, February 21, 2020 9:15 AM To: 'Francesca Palombini' <francesca.palombini@ericsson.com <mailto:francesca.palombini@ericsson.com> >; 'Seitz Ludwig' <ludwig.seitz@combitech.se <mailto:ludwig.seitz@combitech.se> >; Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com> > Cc: 'Ace Wg' <ace@ietf.org <mailto:ace@ietf.org> > Subject: [EXTERNAL] RE: Access token question You are missing something https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-33#section-8.13 defined here From: Francesca Palombini <francesca.palombini@ericsson.com <mailto:francesca.palombini@ericsson.com> > Sent: Friday, February 21, 2020 4:37 AM To: Seitz Ludwig <ludwig.seitz@combitech.se <mailto:ludwig.seitz@combitech.se> >; Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com> >; Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> > Cc: Ace Wg <ace@ietf.org <mailto:ace@ietf.org> > Subject: Access token question Hi, Quick question regarding access token and scope. I know that “scope” semantics is left to the application to define, but in general I would expect to include there some information about resource and method/operations allowed on that resource. Please correct me if any of this is not exact. It was my understanding that “scope” (or more precisely the “scope” value) defined for the Client-AS request and response should be included in the access token as well. Checking in CWT, there is no such “scope” claim defined. “aud” claim is indeed defined for the CWT, but that should correspond to “aud” parameter in the ACE request/response. So where do I put the exact resource and operations in the access token? What am I missing? Francesca
- [Ace] Access token question Francesca Palombini
- Re: [Ace] Access token question Jim Schaad
- Re: [Ace] [EXTERNAL] RE: Access token question Mike Jones
- Re: [Ace] [EXTERNAL] RE: Access token question Francesca Palombini
- Re: [Ace] [EXTERNAL] RE: Access token question Jim Schaad
- Re: [Ace] [EXTERNAL] RE: Access token question Carsten Bormann