Re: [Ace] [EXTERNAL] RE: Access token question
Francesca Palombini <francesca.palombini@ericsson.com> Mon, 24 February 2020 07:55 UTC
Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E5E03A07E2 for <ace@ietfa.amsl.com>; Sun, 23 Feb 2020 23:55:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1_vzbJLf6DBN for <ace@ietfa.amsl.com>; Sun, 23 Feb 2020 23:55:03 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on0620.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::620]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D265C3A07E1 for <ace@ietf.org>; Sun, 23 Feb 2020 23:55:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ef68UxkSYTZx3jh2cqGcuHsza+9+hsnRVWCRofWcDx1XYRIdTsetKWNTHKw3scS/78DCZKahIvwRu1LDKz1BS1WXrfXYyCjSI/chOkaJIfudSav8N4XbrlNfzL5/wkrra22vLVQx7yVcX4rvh68D/9aFOofaJQKqU5zBSRDpct5iMwtNtmQ+ecjMIzCeX1UYqyJNh5b7J0whfSHuNtXZpLcmI46h+mJBFwyMZjqRiUnzRClVOTen23uYFUqn4G8lvjC2jiCabHcl2LvQCi4WoBG8RrwRavp7y1RaLkEfQfnuC5xi7pO24qYv4qFUTdWNVM+ujryqoi1VdON9CcikkQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vi2DK0s9JTIfIe1Rv/3iTlW6yEjLwLmSh7eGXzKp4+8=; b=VjC1324PJoOYda0bogcU90UwNKilHK7OMnEIC6P7snF3gjGI/IpXcXkPxSYNqiVriCA0H7zYBfSJy9lXj3W7Tf5aW+ikPoCn15NjNy6zB8ztjXwQrpEF54wv606twBWnXbXlj2bS6yG+AhFdUhWNq2RuGhwMz7eSeOMIo5WTndmwLBGlGCenV6QxQwt2NqniYN61kcBJie2GvQR/PB42N6n1w33GG+t0dmyYTgT+dVfKhx/r3vdMrkhBM8sisFFuOcHPjKNznc84Wnos4wqG+wkccMs9NWRJ2ng7Nbohykya1KGOh4Y1Xcx8+w2FjI8wKj8BzP+U6kEYOtQeSwcKeg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vi2DK0s9JTIfIe1Rv/3iTlW6yEjLwLmSh7eGXzKp4+8=; b=Tb2HzHfkrSAfdE8o7YcH6tZWeva51x8v7NI8+PbztoepRnuXhKBmcmOTUyQT5ZzzYy72k8ELZI0Zl2bL7Cyr2H2rRjAQSqCgMj84zIcejChkYob/CQTCTovykRsvjjGBd+BLeIQI8rFv/zaNh1FgQeaG7qFGqXejc1aEwxPknIw=
Received: from AM6PR07MB4053.eurprd07.prod.outlook.com (52.134.117.139) by AM6PR07MB4053.eurprd07.prod.outlook.com (52.134.117.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.9; Mon, 24 Feb 2020 07:54:59 +0000
Received: from AM6PR07MB4053.eurprd07.prod.outlook.com ([fe80::7537:e135:422d:c5a7]) by AM6PR07MB4053.eurprd07.prod.outlook.com ([fe80::7537:e135:422d:c5a7%5]) with mapi id 15.20.2772.012; Mon, 24 Feb 2020 07:54:59 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Mike Jones <Michael.Jones@microsoft.com>, Jim Schaad <ietf@augustcellars.com>, 'Seitz Ludwig' <ludwig.seitz@combitech.se>
CC: 'Ace Wg' <ace@ietf.org>
Thread-Topic: [EXTERNAL] RE: Access token question
Thread-Index: AQHV6LOn1YxpaJAAlEyTLIgejF6mBqgl442AgAAZCUCABBIygA==
Date: Mon, 24 Feb 2020 07:54:59 +0000
Message-ID: <D7ED6308-E621-476E-8C4A-17B10F5E7356@ericsson.com>
References: <C233BD01-B46E-458A-A9B0-E1FB03E82C67@ericsson.com> <00da01d5e8da$7ce45130$76acf390$@augustcellars.com> <DM6PR00MB068296640E3FC5A119328C10F5120@DM6PR00MB0682.namprd00.prod.outlook.com>
In-Reply-To: <DM6PR00MB068296640E3FC5A119328C10F5120@DM6PR00MB0682.namprd00.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=a0896083-77dd-4ee6-b1d0-000079222655; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-02-21T18:44:49Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=francesca.palombini@ericsson.com;
x-originating-ip: [158.174.219.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1a203d6a-9f4d-41ca-839d-08d7b8fed906
x-ms-traffictypediagnostic: AM6PR07MB4053:
x-microsoft-antispam-prvs: <AM6PR07MB40531085041BE202659AE28B98EC0@AM6PR07MB4053.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 032334F434
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(346002)(39860400002)(396003)(376002)(199004)(189003)(33656002)(86362001)(53546011)(91956017)(26005)(76116006)(45080400002)(71200400001)(6486002)(66946007)(36756003)(2616005)(478600001)(44832011)(966005)(81166006)(186003)(5660300002)(8676002)(66476007)(6512007)(316002)(6506007)(66446008)(64756008)(110136005)(81156014)(2906002)(4326008)(66556008)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR07MB4053; H:AM6PR07MB4053.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZmsGaHYYUTVizd1s17M0QUDVKXLYGXa/e/81fHlOYmz8G53WlbkQiwGvBw3mpbKHXYOGVxieWwc1SNiSojCE8MTF5aLW3k4ew0iDqX6H7ABechLRBUrFs6pDNgfUhz1Vz2PvxGXVBqVhSRTZuVI3u/V+Gn+33WOOGo6wgfBv2MafLVfctlFSNDAVXVPEXdIMipxij8YyKfSWmZEXjZkRYiAOHufeMDFNfrFa3Bugcjdp3e7UKmwj0vx4PGcnsXQnnONcx85MpgwKcZBpM5gHLmKEZM5UwUffnW4pUuUW1nUnEL9utSmhQhHFzbRz7oPdyCZ/BiPwQ+0FS9kZJbsBo3VhmslGqjMXd5m/y+6XVNSg/UfGuMi6iXpqQ24Sto43EJFYzA1hw5Hy3lN8QvFGYjikApp5qKzjDkuj4HEoygKVqK1wjAO8f2r88FsQiAbQmA7amkoyELQazYLgARqgpWrB+HqbLwZiqQFkmlM6fjrsAveHgxJePgdNb5oAPweHjKRqtAL12b68O+L3RjMekg==
x-ms-exchange-antispam-messagedata: ecsVw+hMw+u/f7dCg+h5KHFHyw25g3k9Vmz1SJ6rtdH/StonB445lq1PLpywb3K1A7hf3712XnQSuB0Co0/HjfwMp4v6Mxk4hVGjMOHxQDuNNlPjrECoaPpd9FJJXYp/qzJRqvv4ylVrS4CJgJsmZA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_D7ED6308E621476E8C4A17B10F5E7356ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1a203d6a-9f4d-41ca-839d-08d7b8fed906
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Feb 2020 07:54:59.6672 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pkB4WeiTaVMKkiVlw3OteRa6NpfkhBIQ/GPUlXf42Q1Y3Gl0lPRP4NWTIHM8fPEKH1yHJVfcFDUx7GHt2V1IsOSAjSlBcwYc4h94ZjsiiXIPw+/YUIqgE/t+/PocWP5U
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB4053
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/zOqLWkJmriVfqkSLLpxnsPVtrUw>
Subject: Re: [Ace] [EXTERNAL] RE: Access token question
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 07:55:05 -0000
Thanks all! Section 8.13 of the framework is exactly what I was looking for, I don’t know how I did not see it. A bit surprised there is no text referencing it in the framework itself. Also, about the “scope” claim registration: the claim description and the specification document give 2 different pointers. The claim description ref points to the description for JWT (JSON string etc), I think this should be adapted to using CBOR (writing a section in the ACE framework, which could then reference both pointers). Also minor, I would add the precise section of 6749 we should look at, which I assume is 3.3. Francesca From: Mike Jones <Michael.Jones@microsoft.com> Date: Friday, 21 February 2020 at 19:45 To: Jim Schaad <ietf@augustcellars.com>, Francesca Palombini <francesca.palombini@ericsson.com>, 'Seitz Ludwig' <ludwig.seitz@combitech.se> Cc: Ace Wg <ace@ietf.org> Subject: RE: [EXTERNAL] RE: Access token question And https://tools.ietf.org/html/rfc8693#section-7.4, which registers “scope” at https://www.iana.org/assignments/jwt/jwt.xhtml. -- Mike From: Jim Schaad <ietf@augustcellars.com> Sent: Friday, February 21, 2020 9:15 AM To: 'Francesca Palombini' <francesca.palombini@ericsson.com>; 'Seitz Ludwig' <ludwig.seitz@combitech.se>; Mike Jones <Michael.Jones@microsoft.com> Cc: 'Ace Wg' <ace@ietf.org> Subject: [EXTERNAL] RE: Access token question You are missing something https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-33#section-8.13<https://protect2.fireeye.com/v1/url?k=72002d7d-2ed426d6-72006de6-864b0d136b87-400f082a818228df&q=1&e=a5d76c10-357e-4834-9e8c-56996a757268&u=https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Ftools.ietf.org%252Fhtml%252Fdraft-ietf-ace-oauth-authz-33%2523section-8.13%26data%3D02%257C01%257CMichael.Jones%2540microsoft.com%257C41e26bbcdb7c4f902d7908d7b6f1a860%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637179021340478864%26sdata%3DbMozqI2BYqMAAViWLIIKzJBvQFa30eqKVHtqUiC3bH8%253D%26reserved%3D0> defined here From: Francesca Palombini <francesca.palombini@ericsson.com<mailto:francesca.palombini@ericsson.com>> Sent: Friday, February 21, 2020 4:37 AM To: Seitz Ludwig <ludwig.seitz@combitech.se<mailto:ludwig.seitz@combitech.se>>; Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>; Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> Cc: Ace Wg <ace@ietf.org<mailto:ace@ietf.org>> Subject: Access token question Hi, Quick question regarding access token and scope. I know that “scope” semantics is left to the application to define, but in general I would expect to include there some information about resource and method/operations allowed on that resource. Please correct me if any of this is not exact. It was my understanding that “scope” (or more precisely the “scope” value) defined for the Client-AS request and response should be included in the access token as well. Checking in CWT, there is no such “scope” claim defined. “aud” claim is indeed defined for the CWT, but that should correspond to “aud” parameter in the ACE request/response. So where do I put the exact resource and operations in the access token? What am I missing? Francesca
- [Ace] Access token question Francesca Palombini
- Re: [Ace] Access token question Jim Schaad
- Re: [Ace] [EXTERNAL] RE: Access token question Mike Jones
- Re: [Ace] [EXTERNAL] RE: Access token question Francesca Palombini
- Re: [Ace] [EXTERNAL] RE: Access token question Jim Schaad
- Re: [Ace] [EXTERNAL] RE: Access token question Carsten Bormann