IETF Logo Mail Archive

Re: [Ace] Access token question

Jim Schaad <ietf@augustcellars.com> Fri, 21 February 2020 17:15 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E149F1200CC for <ace@ietfa.amsl.com>; Fri, 21 Feb 2020 09:15:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iARUuUHRBBmk for <ace@ietfa.amsl.com>; Fri, 21 Feb 2020 09:15:22 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15622120020 for <ace@ietf.org>; Fri, 21 Feb 2020 09:15:22 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 21 Feb 2020 09:15:15 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Francesca Palombini' <francesca.palombini@ericsson.com>, 'Seitz Ludwig' <ludwig.seitz@combitech.se>, 'Mike Jones' <Michael.Jones@microsoft.com>
CC: 'Ace Wg' <ace@ietf.org>
References: <C233BD01-B46E-458A-A9B0-E1FB03E82C67@ericsson.com>
In-Reply-To: <C233BD01-B46E-458A-A9B0-E1FB03E82C67@ericsson.com>
Date: Fri, 21 Feb 2020 09:15:13 -0800
Message-ID: <00da01d5e8da$7ce45130$76acf390$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00DB_01D5E897.6EC1AD70"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQE2kOYab9UqhopwEMpdnLZbx5Q6WqlkkxmA
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/6rRAYj3iOAZjAkLATzdDSCoXIEc>
Subject: Re: [Ace] Access token question
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2020 17:15:25 -0000

You are missing something

 

https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-33#section-8.13

 

defined here

 

From: Francesca Palombini <francesca.palombini@ericsson.com> 
Sent: Friday, February 21, 2020 4:37 AM
To: Seitz Ludwig <ludwig.seitz@combitech.se>; Mike Jones <Michael.Jones@microsoft.com>; Jim Schaad <ietf@augustcellars.com>
Cc: Ace Wg <ace@ietf.org>
Subject: Access token question

 

Hi,

 

Quick question regarding access token and scope. 

I know that “scope” semantics is left to the application to define, but in general I would expect to include there some information about resource and method/operations allowed on that resource. Please correct me if any of this is not exact.

 

It was my understanding that “scope” (or more precisely the “scope” value) defined for the Client-AS request and response should be included in the access token as well. Checking in CWT, there is no such “scope” claim defined. “aud” claim is indeed defined for the CWT, but that should correspond to “aud” parameter in the ACE request/response. So where do I put the exact resource and operations in the access token?

 

What am I missing?


Francesca

v2.23.0 | Report a Bug | By Email