Re: [Ace] [EXTERNAL] RE: Access token question
Mike Jones <Michael.Jones@microsoft.com> Fri, 21 February 2020 18:45 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 548A7120026 for <ace@ietfa.amsl.com>; Fri, 21 Feb 2020 10:45:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3n2vEBWISEgh for <ace@ietfa.amsl.com>; Fri, 21 Feb 2020 10:45:29 -0800 (PST)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650115.outbound.protection.outlook.com [40.107.65.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B459120013 for <ace@ietf.org>; Fri, 21 Feb 2020 10:45:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JAMIjeKX42iKOZOYiix+EMFhjD+IV5KZQMZxWTWcQ9v1kgS392Upo+h1sGrAV8/xT7tkxE21rKlpEYhJes4he6fasRVxJVuzhwAd+MD07aUToTnSaytmX47MgJ3NKSV77n7uekVzKaeE4GbzewO8RG4aJuYtrz5HbE8+cNKMC+Ic/o/xo2XwiO/G8UjH69upNc3S2XYfDxBKsC5FBxPqaScX/jCoAQNBUc6w10kXQ99nznSmjClyXkrZVELX46s9llAKXjBeXz4KpFlCT/cFOwNICeIYAM05QIS/H9POq8XtqOLKDrtOis0rBxbjyl6STmDhI2AqzQuRBbyu7YqILQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lrHIvZ9XUHwVt4owKHMY4KWPClgtoBZcskthyXCv5V8=; b=Q5xQMjVR/n03zK14ARHqWugOpk0UMWMtVPU/e1Jfv6pTLFQnunfssKAErjPyRW9Q4AZNMelRHAAh8R1sV8Iic8ACv/LuntX8eb/2VGvdsilwjJo7DV0tE2BJEzg+QIf7xJ49Jc8chKl+M3+o8uZk5cggeWloIxGl2IirW2hVpNZ9iEiIPHtRGNx5MmT1PIOUY9rh/978++7Z/dpUayVHeW6ICycbJdPpq2w9+rsyDiK9VExK9hN9nxbXbq977KkAilbv32QeXDj+lkbCTa/FkUF4ksSL0/6MdnIKP9k/1fpX0VvkyxxAfVjLjrqT0gr35+76CtAEuVO01rzZu//Ttw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lrHIvZ9XUHwVt4owKHMY4KWPClgtoBZcskthyXCv5V8=; b=UrZ5z/zEN0nNvEwus/LcWFodVsmmS9AO39glPJO9xxKj4M4t/7gLOnM3g1lEnU8cSlDdFDiV9IP6ExctLdUFdj+D+wTI2haWaO0qzfDqhCajz3qGQ7hbxZsq5Bznot3m/c1pGGyRB93NjsQoy8L3WCSBvXZeESNe7wiQkfHSvOE=
Received: from DM6PR00MB0682.namprd00.prod.outlook.com (2603:10b6:5:213::24) by DM6PR00MB0749.namprd00.prod.outlook.com (2603:10b6:5:1b6::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2792.0; Fri, 21 Feb 2020 18:45:26 +0000
Received: from DM6PR00MB0682.namprd00.prod.outlook.com ([fe80::8d19:b89:22f5:f7ab]) by DM6PR00MB0682.namprd00.prod.outlook.com ([fe80::8d19:b89:22f5:f7ab%6]) with mapi id 15.20.2796.000; Fri, 21 Feb 2020 18:45:26 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, 'Francesca Palombini' <francesca.palombini@ericsson.com>, 'Seitz Ludwig' <ludwig.seitz@combitech.se>
CC: 'Ace Wg' <ace@ietf.org>
Thread-Topic: [EXTERNAL] RE: Access token question
Thread-Index: AQHV6LOn1YxpaJAAlEyTLIgejF6mBqgl442AgAAZCUA=
Date: Fri, 21 Feb 2020 18:45:26 +0000
Message-ID: <DM6PR00MB068296640E3FC5A119328C10F5120@DM6PR00MB0682.namprd00.prod.outlook.com>
References: <C233BD01-B46E-458A-A9B0-E1FB03E82C67@ericsson.com> <00da01d5e8da$7ce45130$76acf390$@augustcellars.com>
In-Reply-To: <00da01d5e8da$7ce45130$76acf390$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=a0896083-77dd-4ee6-b1d0-000079222655; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-02-21T18:44:49Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [2001:4898:80e8:b:c99d:f725:258e:3463]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: eded986a-57a2-41b9-7680-08d7b6fe3779
x-ms-traffictypediagnostic: DM6PR00MB0749:
x-microsoft-antispam-prvs: <DM6PR00MB0749A6DA76DBAB0708188154F5120@DM6PR00MB0749.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0320B28BE1
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(366004)(396003)(346002)(39860400002)(136003)(376002)(199004)(189003)(66556008)(4326008)(66476007)(64756008)(186003)(6506007)(81156014)(53546011)(66946007)(76116006)(81166006)(478600001)(8676002)(71200400001)(66446008)(10290500003)(316002)(8936002)(9686003)(110136005)(33656002)(8990500004)(5660300002)(55016002)(966005)(86362001)(7696005)(52536014)(2906002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR00MB0749; H:DM6PR00MB0682.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kOAxmQDc05xrJL/R3mFzBUV5wDI+3AZ29PaDbEzNQJeKYvAPVBI+FpsT5bTmqH5v/XxMeli8ZfDJkDioPp1yg2W8eOKmEADGUj5fxTb1Uzgz/2M7Ll9jGAxOqAdd4oumQprL6Ln5wVA7Cl2PygEg+WxDoQHf76ywr8+c7neaCi81cptStBeBeo7jw+jvgGD2ego2Gt2iGyt6f9vQl7gz96naCHjTWAUm/nSecol1ponchlVWCgPyXneOummvVs1/tEZA0mq2ObCLy3DPQLbqwj0iVMH1DfRN5j18Y9M+tCkkV3sONJYEi4/N2s0htq1yKR+56OdQOvocX3OYqddoTqKI/P0b80CVN6qUyBDCQDvMDU+hRtTtt4B8dNSnXuS7xDgIJ1ST3/crPeDrovvAQ/lwe22chxnJzHWQ4DgUpiOagb4fvNl0aWUrXVOz48CKrXCmAjQ4+MeuddD+UhPfEqaVfmnNb0P6rji0xXz4jqM/fbtU6EDjst8t1gxXzlS3KFYvNAAywUSliU/aEZ9AAA==
x-ms-exchange-antispam-messagedata: IM1tceIkTMnLZ4GT3poMNcHYav1+HJQoh3j5L9Xt/J7dbSXewXG0bsDYh73D7RFAM9EFvXcHITjpiRxI2FukmGSLcF0hCvknGK23GYt7Y6xdJjRgbHzmwTIl1mNDK7ISb3Be+OMYkypAraAATEUTWYY4vwH9JMibVMLf6BDS11rojK/cq3M2RWxqQ5qfxbN8/hfOwwqc7mk6HG+FPnEnMA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB068296640E3FC5A119328C10F5120DM6PR00MB0682namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: eded986a-57a2-41b9-7680-08d7b6fe3779
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Feb 2020 18:45:26.3276 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JC/fCTD+UyiBB8kmyGi2YjHryIZ5x1e35ZtIKnroySscKkWl392HlqZZKpKMtMhox72m4IDAZMo36plvHTAm+A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0749
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Z-ZR_cNX_SpMKLkvGr24br7ckW4>
Subject: Re: [Ace] [EXTERNAL] RE: Access token question
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2020 18:45:33 -0000
And https://tools.ietf.org/html/rfc8693#section-7.4, which registers “scope” at https://www.iana.org/assignments/jwt/jwt.xhtml. -- Mike From: Jim Schaad <ietf@augustcellars.com> Sent: Friday, February 21, 2020 9:15 AM To: 'Francesca Palombini' <francesca.palombini@ericsson.com>; 'Seitz Ludwig' <ludwig.seitz@combitech.se>; Mike Jones <Michael.Jones@microsoft.com> Cc: 'Ace Wg' <ace@ietf.org> Subject: [EXTERNAL] RE: Access token question You are missing something https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-33#section-8.13<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-ace-oauth-authz-33%23section-8.13&data=02%7C01%7CMichael.Jones%40microsoft.com%7C41e26bbcdb7c4f902d7908d7b6f1a860%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637179021340478864&sdata=bMozqI2BYqMAAViWLIIKzJBvQFa30eqKVHtqUiC3bH8%3D&reserved=0> defined here From: Francesca Palombini <francesca.palombini@ericsson.com<mailto:francesca.palombini@ericsson.com>> Sent: Friday, February 21, 2020 4:37 AM To: Seitz Ludwig <ludwig.seitz@combitech.se<mailto:ludwig.seitz@combitech.se>>; Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>; Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> Cc: Ace Wg <ace@ietf.org<mailto:ace@ietf.org>> Subject: Access token question Hi, Quick question regarding access token and scope. I know that “scope” semantics is left to the application to define, but in general I would expect to include there some information about resource and method/operations allowed on that resource. Please correct me if any of this is not exact. It was my understanding that “scope” (or more precisely the “scope” value) defined for the Client-AS request and response should be included in the access token as well. Checking in CWT, there is no such “scope” claim defined. “aud” claim is indeed defined for the CWT, but that should correspond to “aud” parameter in the ACE request/response. So where do I put the exact resource and operations in the access token? What am I missing? Francesca
- [Ace] Access token question Francesca Palombini
- Re: [Ace] Access token question Jim Schaad
- Re: [Ace] [EXTERNAL] RE: Access token question Mike Jones
- Re: [Ace] [EXTERNAL] RE: Access token question Francesca Palombini
- Re: [Ace] [EXTERNAL] RE: Access token question Jim Schaad
- Re: [Ace] [EXTERNAL] RE: Access token question Carsten Bormann