IETF Logo Mail Archive

Re: [Jwt-reg-review] Request to register claim: permissions

Brian Campbell <bcampbell@pingidentity.com> Wed, 28 June 2017 20:25 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jwt-reg-review@ietfa.amsl.com
Delivered-To: jwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3915712EAF2 for <jwt-reg-review@ietfa.amsl.com>; Wed, 28 Jun 2017 13:25:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HwwN8RPuqVMt for <jwt-reg-review@ietfa.amsl.com>; Wed, 28 Jun 2017 13:25:05 -0700 (PDT)
Received: from mail-pf0-x234.google.com (mail-pf0-x234.google.com [IPv6:2607:f8b0:400e:c00::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A76912EAFB for <jwt-reg-review@ietf.org>; Wed, 28 Jun 2017 13:25:05 -0700 (PDT)
Received: by mail-pf0-x234.google.com with SMTP id s66so38824669pfs.1 for <jwt-reg-review@ietf.org>; Wed, 28 Jun 2017 13:25:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PGLhUPCjbGRB2NkqyFew9+Cyf6sgw41DJ537qqMoIn4=; b=angZBuEHEV8AhgSvDr2AwWH3UAQgwN8xI9669VvPrQmPYBY+9fbgcCHPjt3EoNDPAW nWmBzhn1ziaUcKshPNaoaoyNr4bFDD4ZMq7BweYMk+QWUPoFEEn+Rxq6vURDWZPm561v 0Hmq8foxIdkeZ3yKsIpAm+nFdmpoYvA7pSb4Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PGLhUPCjbGRB2NkqyFew9+Cyf6sgw41DJ537qqMoIn4=; b=RJT2nfrSOFsXBxdgu/uvngSjNXBYv+UsNnlt2m+zUzh/h6QCfu5CVf4hcOvzyLoS+X oPcUqlKVC0IYAUGsak+wm34AxYWRRdL8d+5FmV9jvqQWNLeXraR6iuzyFxWqW/2t2PAN +n3wLwVQ4Cg+0CYG91MrI+2geJ85wXhXPPsXW/u4ioSGPCZ8Lv4SQ+t0WQFGuA7jRWMP brltjHAtbm5N8LeGBqWSWguumS+tq5JtfO478o0iQhccEPaFDZqdwFh+TMFqnUxsxKeF UevlwYuBxO2e/eYBZ+9yQ2AJLhsTtkxJVLTh4K0Md4StGC4BqULUgDk98nKp3fu05UPk wO8g==
X-Gm-Message-State: AKS2vOyk/JSSqPg1mETMlxfJg95KI3AOAGNzNBPysYpWCFg1AL759oS7 6KcRUImIoOcTrPbL6fRPhw5twh2k9uAV9k52bZHwMUCSDsZYeCtzLfVM7IdFyK8ObqT0Zhw7W+m /sY1csnjMCplE0U/n
X-Received: by 10.98.108.72 with SMTP id h69mr12437524pfc.54.1498681505127; Wed, 28 Jun 2017 13:25:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.129.130 with HTTP; Wed, 28 Jun 2017 13:24:34 -0700 (PDT)
In-Reply-To: <CAMPbGmjim97Ww31RT3ybwZuoL2UA-p3ad8qRYC10kG69HQ1c8w@mail.gmail.com>
References: <CAMPbGmjim97Ww31RT3ybwZuoL2UA-p3ad8qRYC10kG69HQ1c8w@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 28 Jun 2017 14:24:34 -0600
Message-ID: <CA+k3eCRPevg3CNUTXgsQMn4Yg8sPcmEyixbova+DGx9=Ski4kw@mail.gmail.com>
To: Eve Maler <eve.maler@forgerock.com>
Cc: jwt-reg-review@ietf.org, Maciej Machulak <maciej.machulak@gmail.com>, Justin Richer <justin@bspk.io>
Content-Type: multipart/alternative; boundary="001a1142351abebf9a05530afa6f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jwt-reg-review/hmMQ9ZdLcVJqH2B-lkSMXSzzjG8>
Subject: Re: [Jwt-reg-review] Request to register claim: permissions
X-BeenThere: jwt-reg-review@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Expert review of proposed IANA registrations for JSON Web Token \(JWT\) claims." <jwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jwt-reg-review/>
List-Post: <mailto:jwt-reg-review@ietf.org>
List-Help: <mailto:jwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jun 2017 20:25:10 -0000

Hi Eve,

I think a bit more revision work on the document is needed before this
request to register the 'permissions' JWT claim can be sent to IANA.

Section 5 kind of sort of implies the possible use of JWT in saying,
"Validate the RPT locally if it is self-contained" but otherwise JWT isn't
mentioned in the document at all other than the IANA request in Section
9.2. (which cites [OIDCCore] regarding JWT claim registration rather than
RFC 7519 that it should be - see https://tools.ietf.org/html/rf
c7800#section-6.1 for an example).  For that matter RFC 7519, which defines
JSON Web Token and established the claims registry, isn't even referenced
in the document.

Section 5.1.1
<https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-05.html#uma-bearer-token-profile>.
is about the 'permissions' parameter in the Token Introspection response.
While there are similarities in how they sometimes are used, the
introspection response parameters and JWT claims are distinct and different
things. Sec 5.1.1. can't be said to define a JWT claim. At the least, I
would expect some definition of the 'permissions' claim in JWT even if it
just cites the introspection response parameter and says it means the same
thing but is a claim in a self-contained JWT. I'm guessing that was more or
less the intent. But that's a lot of inferring and I believe a
specification and IANA registration need to be more explicit.





On Fri, Jun 16, 2017 at 6:41 PM, Eve Maler <eve.maler@forgerock.com> wrote:

> As required by RFC 7519 Section 10.1, the authors of the specification Federated
> Authorization for User-Managed Access (UMA) 2.0
> <https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-05.html>  are
> requesting to register the following claim:
>
>    - permissions
>
> The claim definition appears in Section 5.1.1
> <https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-05.html#uma-bearer-token-profile>.
> The IANA request appears in Section 9.2
> <https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-05.html#rfc.section.9.2>
> .
>
> Thank you. We look forward to your response.
>
>
> *Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging
> Technology
> Cell +1 425.345.6756 <(425)%20345-6756> | Skype: xmlgrrl | Twitter:
> @xmlgrrl
>
> _______________________________________________
> Jwt-reg-review mailing list
> Jwt-reg-review@ietf.org
> https://www.ietf.org/mailman/listinfo/jwt-reg-review
>
>


-- 
<https://www.pingidentity.com>[image: Ping Identity]
<https://www.pingidentity.com>
Brian Campbell
Distinguished Engineer
bcampbell@pingidentity.com
w: +1 720.317.2061
c: +1 303.918.9415
Connect with us: [image: Glassdoor logo]
<https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>
[image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
logo] <https://twitter.com/pingidentity> [image: facebook logo]
<https://www.facebook.com/pingidentitypage> [image: youtube logo]
<https://www.youtube.com/user/PingIdentityTV> [image: Google+ logo]
<https://plus.google.com/u/0/114266977739397708540> [image: Blog logo]
<https://www.pingidentity.com/en/blog.html>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*

v2.23.0 | Report a Bug | By Email