IETF Logo Mail Archive

Re: [OAUTH-WG] JWT grant_type and client_id

Brian Campbell <bcampbell@pingidentity.com> Wed, 01 May 2013 12:37 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9B4E21F99A3 for <oauth@ietfa.amsl.com>; Wed, 1 May 2013 05:37:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.71
X-Spam-Level:
X-Spam-Status: No, score=-3.71 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_25=0.6, RCVD_IN_DNSWL_MED=-4, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IT6EtFgqtDuS for <oauth@ietfa.amsl.com>; Wed, 1 May 2013 05:37:19 -0700 (PDT)
Received: from na3sys009aog126.obsmtp.com (na3sys009aog126.obsmtp.com [74.125.149.155]) by ietfa.amsl.com (Postfix) with ESMTP id 7FA3D21F9939 for <oauth@ietf.org>; Wed, 1 May 2013 05:36:13 -0700 (PDT)
Received: from mail-ob0-f197.google.com ([209.85.214.197]) (using TLSv1) by na3sys009aob126.postini.com ([74.125.148.12]) with SMTP ID DSNKUYEMOryLbNXiFf/RvoRsfk4mS+cpn7vR@postini.com; Wed, 01 May 2013 05:36:13 PDT
Received: by mail-ob0-f197.google.com with SMTP id eh20so7808366obb.0 for <oauth@ietf.org>; Wed, 01 May 2013 05:36:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=w6/yFYvfz/JgRTXehEPjFpxC54SgHKT3CM5CucDG9Kg=; b=KSEu5DNhfBZ2o1Uk3l4gNP8bPbqrFYuhunvN/AmMejgMzgfN1878hUAhcj0p3DXbfj 1zELUhtF5eY1C20LTdnGDblfzckAN0Wd/ygfU87z6xVoxA/a4Cs9Ig3N6XUTAgGL7+Ar hfhfvZ/moTrxJ7dghgVVxoZTbt3umjWHTtLrnfeexkjgMxegFWcagsVYK1GRS+jUKdhH 7kCARR3nbCYVvSqEv7YeemSLaK5UT740/2nQbMWzlEVbnCRdOJv2tigAWt7go14vBxIn i8xcThyAm+gljq1WLEVmCF3JAuxIkLxvVGHScgMvR7Mp51XmiXcStW+tBYmxEsR4ODjO niUQ==
X-Received: by 10.50.114.42 with SMTP id jd10mr1479879igb.101.1367411769765; Wed, 01 May 2013 05:36:09 -0700 (PDT)
X-Received: by 10.50.114.42 with SMTP id jd10mr1479876igb.101.1367411769584; Wed, 01 May 2013 05:36:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.227.146 with HTTP; Wed, 1 May 2013 05:35:39 -0700 (PDT)
In-Reply-To: <51483C49.4040503@gmail.com>
References: <59E470B10C4630419ED717AC79FCF9A948D552B8@BY2PRD0411MB441.namprd04.prod.outlook.com> <4E1F6AAD24975D4BA5B168042967394367472284@TK5EX14MBXC284.redmond.corp.microsoft.com> <59E470B10C4630419ED717AC79FCF9A9568A83EA@BY2PRD0411MB441.namprd04.prod.outlook.com> <CA+k3eCSu7OxSXV28=P+5SXkGBSC7WKtwu03teCANgfBTOZovEA@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A9568A84A6@BY2PRD0411MB441.namprd04.prod.outlook.com> <A8B95C00-49DA-4404-9798-05A3169C3FA5@ve7jtb.com> <59E470B10C4630419ED717AC79FCF9A9568A8760@BY2PRD0411MB441.namprd04.prod.outlook.com> <51439320.9060401@gmail.com> <59E470B10C4630419ED717AC79FCF9A9568A87C1@BY2PRD0411MB441.namprd04.prod.outlook.com> <CA+k3eCS0b1mNOqkkBL62hpSTcZOODUZDpSFBOoM_GLf8uJB9gA@mail.gmail.com> <51483C49.4040503@gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 01 May 2013 06:35:39 -0600
Message-ID: <CA+k3eCSiYuFmL3sz6MUW-+79Wz6q+s17vVRdeg0e44t-N9giaQ@mail.gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
Content-Type: multipart/alternative; boundary="047d7b414058caca5904dba75cf5"
X-Gm-Message-State: ALoCoQkIZKUJUJkA5GqD+y+R7zdHxHYcOteNeHm2kVRAOzBv5wzocY/YKYk3q52mKv7CmHTyDoK5dSQ16FqvU5J3SfpOeOIEvzZEXUuC3wO+qJWYL/ywJ4DNRgHrAUL56oRs0v+ADd+S
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT grant_type and client_id
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 May 2013 12:37:23 -0000

Just trying to close the loop on this thread (six weeks later, sorry). New
drafts were published last month that (hopefully) have more clear text
about the treatment of client_id. And it's been removed from examples where
it's optional.

http://www.ietf.org/mail-archive/web/oauth/current/msg11213.html


On Tue, Mar 19, 2013 at 4:22 AM, Sergey Beryozkin <sberyozkin@gmail.com>wrote:

> Hi,
>
> Just one remark, the example in [1] shows "client_id"; IMHO it makes sense
> to clarify than in this context (where the assertion is used as a grant),
> it is optional as per:
>
> http://tools.ietf.org/html/**rfc6749#section-3.2.1<http://tools.ietf.org/html/rfc6749#section-3.2.1>
>
> "A client MAY use the "client_id" request parameter to identify itself
>  when sending requests to the token endpoint"
>
> and otherwise
>
> http://tools.ietf.org/html/**rfc6749#section-2.3<http://tools.ietf.org/html/rfc6749#section-2.3>
>
> dictates how the client authentication is done.
>
> By the way, my reading of the main spec's section 2.3 tells me that the
> only time one would use only "client_id" in the form payload is when the
> client secret is empty or perhaps the client is not in the possession of
> the secret.
>
> Does it make sense to completely drop a "client_id" parameter in the
> example at [1] in the assertion draft and use an example with a Basic
> authentication instead ?
>
> Thanks, Sergey
>
>
> On 15/03/13 22:12, Brian Campbell wrote:
>
>> So currently the base assertion document defines scope as an HTTP
>> parameter on the access token request message when using an assertion as
>> a grant[1].  And that applies to both the SAML and JWT grants (perhaps
>> that needs to be more clear?). Also RFC 6749 defines the scope parameter
>> for the client credentials access token request[2], which similarly
>> applies to both SAML and JWT in the case of assertion client
>> authentication using the "client_credentials" grant type.
>>
>> [1] http://tools.ietf.org/html/**draft-ietf-oauth-assertions-**
>> 10#section-4.1<http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-4.1>
>> [2] http://tools.ietf.org/html/**rfc6749#section-4.4.1<http://tools.ietf.org/html/rfc6749#section-4.4.1>
>>
>>
>> On Fri, Mar 15, 2013 at 3:43 PM, Lewis Adam-CAL022
>> <Adam.Lewis@motorolasolutions.**com <Adam.Lewis@motorolasolutions.com>
>> <mailto:Adam.Lewis@**motorolasolutions.com<Adam.Lewis@motorolasolutions.com>>>
>> wrote:
>>
>>     Right ... thinking about this further I think the answer is "all of
>>     the above."  If the JWT is a grant type then as you say it needs a
>>     scope param and optionally a client_id param.  I argued for the
>>     client_id param earlier since it could assist with HOK scenarios
>>     once those further develop.
>>
>>     But when the JWT is used as an AT then it will definitely require
>>     the scope as a claim.
>>
>>     So I change my argument to "both" :)
>>
>>     adam
>>
>>     -----Original Message-----
>>     From: oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org**>
>>     [mailto:oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org**>] On
>>     Behalf Of Sergey Beryozkin
>>     Sent: Friday, March 15, 2013 4:31 PM
>>     To: oauth@ietf.org <mailto:oauth@ietf.org>
>>     Subject: Re: [OAUTH-WG] JWT grant_type and client_id
>>
>>     Hi
>>     On 15/03/13 20:40, Lewis Adam-CAL022 wrote:
>>      > Hi John,
>>      >
>>      > I would like to argue that the scope should be a parameter in the
>>     access
>>      > token request message, the same as it is for the RO creds grant and
>>      > client creds grant type. This would keep it consistent with the
>> core
>>      > OAuth grant types that talk directly to the token endpoint.
>>      >
>>     Assuming the assertion is acting as a grant, then it is indeed an
>> access
>>     token request message, so IMHO it makes sense to get an outbound scope
>>     parameter optionally supported which I guess will imply that the
>> client
>>     id will also have to accompany it...
>>
>>     Cheers, Sergey
>>
>>      > Thoughts?
>>      >
>>      > adam
>>      >
>>      > *From:*John Bradley [mailto:ve7jtb@ve7jtb.com
>>     <mailto:ve7jtb@ve7jtb.com>]
>>      > *Sent:* Friday, March 15, 2013 12:10 PM
>>      > *To:* Lewis Adam-CAL022
>>      > *Cc:* Brian Campbell; "WG <oauth@ietf.org
>>     <mailto:oauth@ietf.org>>"@il06**exr02.mot.com<http://il06exr02.mot.com><
>> http://il06exr02.mot.com>
>>       > *Subject:* Re: [OAUTH-WG] JWT grant_type and client_id
>>      >
>>      > The spec is a touch vague on that. I think the scopes should be
>>     in the
>>      > assertion and the client can use the scopes outside the assertion
>> to
>>      > down-scope.
>>      >
>>      > Having a standard claim in JWT and SAML for passing scopes is
>>     probably
>>      > useful as part of a profile.
>>      >
>>      > John B.
>>      >
>>      > On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022
>>      > <Adam.Lewis@motorolasolutions.**com<Adam.Lewis@motorolasolutions.com>
>>     <mailto:Adam.Lewis@**motorolasolutions.com<Adam.Lewis@motorolasolutions.com>
>> >
>>      > <mailto:Adam.Lewis@**motorolasolutions.com<Adam.Lewis@motorolasolutions.com>
>>
>>     <mailto:Adam.Lewis@**motorolasolutions.com<Adam.Lewis@motorolasolutions.com>>>>
>> wrote:
>>      >
>>      >
>>      >
>>      > Hmmm, one more thought ... no scope?? The JWT is the grant, is it
>>     assumed
>>      > that the scope is conveyed as a claim within the token? Otherwise
>> it
>>      > would seem that it would require a scope.
>>      >
>>      > Thoughts?
>>      >
>>      > adam
>>      >
>>      > *From:*Brian Campbell [mailto:bcampbell@**pingidentity.com<bcampbell@pingidentity.com>
>>     <mailto:bcampbell@**pingidentity.com <bcampbell@pingidentity.com>>
>>      > <http://pingidentity.com>]
>>      > *Sent:*Thursday, March 14, 2013 4:44 PM
>>      > *To:*Lewis Adam-CAL022
>>      > *Cc:*Mike Jones; "WG <oauth@ietf.org <mailto:oauth@ietf.org>
>>      > <mailto:oauth@ietf.org
>>     <mailto:oauth@ietf.org>>>"@il0**6exr02.mot.com<http://il06exr02.mot.com>
>>     <http://il06exr02.mot.com> <http://il06exr02.mot.com>
>>
>>      > *Subject:*Re: [OAUTH-WG] JWT grant_type and client_id
>>      >
>>      > Yes, that is correct.
>>      >
>>      > I'm working on new revisions of the drafts that will hopefully
>>     make that
>>      > point more clear.
>>      >
>>      > On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022
>>      > <Adam.Lewis@motorolasolutions.**com<Adam.Lewis@motorolasolutions.com>
>>     <mailto:Adam.Lewis@**motorolasolutions.com<Adam.Lewis@motorolasolutions.com>
>> >
>>      > <mailto:Adam.Lewis@**motorolasolutions.com<Adam.Lewis@motorolasolutions.com>
>>
>>     <mailto:Adam.Lewis@**motorolasolutions.com<Adam.Lewis@motorolasolutions.com>>>>
>> wrote:
>>      >
>>      > Coming back to this...  am I correct in that client_id is not
>>     required?    We are implementing this spec and want to make sure
>>     that we are doing it right.    By my understanding the only two
>>     parameters that are required in the JWT grant type are
>>     "urn:ietf:params:oauth:grant-**type:jwt-bearer"    and the assertion.
>>           Is this correct?
>>      >
>>      > *From:*Mike Jones [mailto:Michael.Jones@**microsoft.com<Michael.Jones@microsoft.com>
>>     <mailto:Michael.Jones@**microsoft.com <Michael.Jones@microsoft.com>>
>>      > <mailto:Michael.Jones@**microsoft.com<Michael.Jones@microsoft.com>
>>     <mailto:Michael.Jones@**microsoft.com <Michael.Jones@microsoft.com>
>> >>]
>>      > *Sent:*Monday, February 18, 2013 6:58 PM
>>      > *To:*Lewis Adam-CAL022;oauth@ietf.org
>>     <mailto:Adam-CAL022%3Boauth@**ietf.org<Adam-CAL022%253Boauth@ietf.org>>
>> <mailto:oauth@ietf.org
>>
>>     <mailto:oauth@ietf.org>>WG
>>      > *Subject:*RE: JWT grant_type and client_id
>>      >
>>      > The client_id value and the access token value are independent.
>>      >
>>      > -- Mike
>>      >
>>      > *From:*oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org**>
>>      > <mailto:oauth-bounces@ietf.org
>>     <mailto:oauth-bounces@ietf.org**>>[mailto:oauth-bounces@ietf.**org<oauth-bounces@ietf.org>
>>
>>     <mailto:oauth-bounces@ietf.org**>
>>      > <mailto:oauth-bounces@ietf.org
>>     <mailto:oauth-bounces@ietf.org**>>]*On Behalf Of*Lewis Adam-CAL022
>>      > *Sent:*Monday, February 18, 2013 2:50 PM
>>      > *To:*oauth@ietf.org <mailto:oauth@ietf.org>
>>     <mailto:oauth@ietf.org <mailto:oauth@ietf.org>>WG
>>
>>      > *Subject:*[OAUTH-WG] JWT grant_type and client_id
>>      >
>>      > Is there any guidance on the usage of client_id when using the JWT
>>      > assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04
>>     makes
>>      > no mention so I assume that it is not required ... but it would be
>>      > necessary if using in conjunction with a HOK profile where the JWT
>>      > assertion is issued to - and may only be used by - the intended
>>     client.
>>      > Obviously this is straight forward enough, really I'm just
>>     looking to be
>>      > sure that I'm not missing anything.
>>      >
>>      > tx
>>      >
>>      > adam
>>      >
>>      >
>>      > ______________________________**_________________
>>      > OAuth mailing list
>>      > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>>
>>     <mailto:OAuth@ietf.org>>
>>      > https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth>
>>      >
>>      > ______________________________**_________________
>>      > OAuth mailing list
>>      > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>>
>>     <mailto:OAuth@ietf.org>>
>>      > https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth>
>>      >
>>      >
>>      >
>>      > ______________________________**_________________
>>      > OAuth mailing list
>>      > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>      > https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth>
>>
>>     ______________________________**_________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth>
>>
>>
>>
>>
>>
>>     ______________________________**_________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth>
>>
>>
>>
>
>

v2.23.0 | Report a Bug | By Email