[OAUTH-WG] oauth-jwsreq & parameter registration
Brian Campbell <bcampbell@pingidentity.com> Wed, 24 July 2019 12:43 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74BCE120148 for <oauth@ietfa.amsl.com>; Wed, 24 Jul 2019 05:43:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RtLMsNhCf7pB for <oauth@ietfa.amsl.com>; Wed, 24 Jul 2019 05:43:03 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C5F71200EC for <oauth@ietf.org>; Wed, 24 Jul 2019 05:43:00 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id i10so89166573iol.13 for <oauth@ietf.org>; Wed, 24 Jul 2019 05:43:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:from:date:message-id:subject:to; bh=IQTitivJFbbK2H1Zpe8vfAXHD2I3zgCXgr3q3MiYtZY=; b=FdDa6J9i9hVFOrgL8IzDK7st9eNTYj+G1/xhWhp5QkZx2GyUR86joVBPkYGA0WtrAg mMuYA9x0y91VgCrNAGyloENsSJX+XMpbgmFbIu2hv/gOrAGed1RFaj6q3KFXK5lJFZ2e K6jacSW+rwl0HjvXJQwUm6y/XhWo5QgZXIb0I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=IQTitivJFbbK2H1Zpe8vfAXHD2I3zgCXgr3q3MiYtZY=; b=qwekuOPpyDvi+sXXyOoebEsetDNtNST9fIBJGJFoiAp+9zw1VY9YutywaZKfXiJddI qrhGFFX0tZxw/Q8rSrFX4Vm+Kg6VZsdPhFhQH25k63sn3gIkYa30dR16zHOSbIweeBql YSms5rgMKDmh5NQ1HXaTqiB/xbZ9bnwzkh+YQzzQwD7auCT55JXE/YO69bIXr8fFcK5u RyoCMMR1VrDmZ4M9oOrKUyhJ58eEfwGIiaaHIfPLfeANYg2TGZ9awozaoPhqc1w1o2mQ kqGGtIlZf4DO0HFLcDXB3AlI9tIAncq50EnmaUDEfrcgz6rWDDUqWvDlbM40o56Wxwhg Qa3g==
X-Gm-Message-State: APjAAAX1X8xB6E1KZw3RX6+4G+NnyjXbeDTBk1tHXg/nGVxRnpTlUrLv BfpGOK0zzYSsL94Hb86ziG1izGAOh1YMjkzH9Loj4URv1lXlzx8xvg9bR61E9m/rmKaKOkbr/yP Q+xYvnz9I9w81rdFMQEUD7A==
X-Google-Smtp-Source: APXvYqyf/YBsVTlhwXYq1gQjIMTDD3SJ9IxrXOCHciWQDSpDwYOzB19xbsz4S596wqR8nYpBRQ9I12WNLNLzR01UwGA=
X-Received: by 2002:a02:a07:: with SMTP id 7mr86295926jaw.65.1563972179056; Wed, 24 Jul 2019 05:42:59 -0700 (PDT)
MIME-Version: 1.0
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 24 Jul 2019 06:42:33 -0600
Message-ID: <CA+k3eCTtqSi+_Y_BLaknAFSa9Jj94zyRBGWZb86CkDm23ENw6g@mail.gmail.com>
To: oauth <oauth@ietf.org>, oauth-chairs@ietf.org, draft-ietf-oauth-jwsreq@ietf.org, sec-ads@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002bf8c7058e6ca6fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0EenxmThjII52SAr9atpBStRtcs>
Subject: [OAUTH-WG] oauth-jwsreq & parameter registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 12:43:05 -0000
In the WG meeting yesterday I mentioned that I thought there might have had been some action already taken with respect to "JWT Secured Authorization Request (JAR)" and the potential name conflicts between authorization parameters and JWT claims. I tracked down this ticket in the OpenID Connect WG https://bitbucket.org/openid/connect/issues/1019/core-iana-consideration, which touches on the issue but it doesn't look like any action has actually been taken. I do think that what is mentioned in the ticket (effectively registering some core "meta" JWT claims as authorization request parameters) is pragmatic and sufficient. As one data point, as far as I know, "aud" is the only name where we've actually encountered this particular name collision problem. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] oauth-jwsreq & parameter registration Brian Campbell