Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 question

Brian Campbell <> Mon, 21 September 2020 19:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6E0623A0D3D for <>; Mon, 21 Sep 2020 12:33:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.855
X-Spam-Status: No, score=-0.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3DH28tZq-Y3R for <>; Mon, 21 Sep 2020 12:33:28 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 734BA3A0D3E for <>; Mon, 21 Sep 2020 12:33:28 -0700 (PDT)
Received: by with SMTP id n25so12123308ljj.4 for <>; Mon, 21 Sep 2020 12:33:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LgXDk6pPDnO+97NriRYa9BEV0UmlKyG1UtfhrdOLLsk=; b=QWFscERF7BBAEBbaM3YB3XvgZDpcwfCD3+cNp2IzhYADKSjpj7jQcltTZPhY1k2FNG M/f3JENlb64cWmpzMzbaPR3dFuAGbK9q1vsA+7Ay4G3Mx3gvfSYKS1BpIuIN32FPNmEx vnni0rYUUHYCYCbdtRDhDvsb/HOHElovNZxQGS6Hvzv/io0VNLTe/FOVELDpT4syavSL FA1NESGQEvE4ZyyTowaStbJDo3QBExPAYOj+Q7AazSOa7o5iQ0yVccbDc9mKEpR10RMq /dZf9YY/9zVwyAnzpqZrM31o+Jo1qtbVtzKf9G9L8w3qeScTNqsdEEanAAj+tWARkDA3 TBRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LgXDk6pPDnO+97NriRYa9BEV0UmlKyG1UtfhrdOLLsk=; b=NaIjsu6+ZjkRAjyMAvo/Flbr2KQo+mWULnakvQzpmc1tdcTPddkS4Whhyt0i1rDerr RczuqWyZq+u9k/jQ33B2zjiA9YIgiVaqkXJz4P1olq+wX9h6RbVBv5Ke2c37BN9mbtdA ddbEhvgfVW+34v0MZrhj85qRJ1IcP6xzEQpbm4k/0Y+YPYwDB4sAIhEQIhtFscddraPo uHtVir9Oxge7qY5T2Uo9NPE/5UTzr5GDbBLdx8JXITUXjo50UrKL3u2JcPqMdqCpVyPs BWS+5KFiTSQiMKI5OOFlVJvk2mPawlKsS44nPiFxTHu2ViWDJVmrXaE64UoAepVXzvXE Hwkg==
X-Gm-Message-State: AOAM533fBDt907CApxeudqmYf2vrI2MIrjnn/zTPjp6hrD2Bf0FYyoeI jXG9AfU6cGGe9oAMN+5VxF2RVaFbI6dMlVqAioYhneMFaUi9MBfuRk8I6dM4Y84xclwU5OH3Gp/ XOkvnhcpbBZUNcw==
X-Google-Smtp-Source: ABdhPJxdcqWNcu8/9xT032X/rtto3r3617V4u7QjA1cfOGAzehAYCiLwMbUNJjp/Dwr001CxW3m4he9Db2dMhse0ovw=
X-Received: by 2002:a2e:95c5:: with SMTP id y5mr350792ljh.422.1600716806376; Mon, 21 Sep 2020 12:33:26 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Mon, 21 Sep 2020 13:33:00 -0600
Message-ID: <>
To: Vittorio Bertocci <>
Cc: Logan Widick <>, "" <>
Content-Type: multipart/alternative; boundary="000000000000a1852b05afd7ecae"
Archived-At: <>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 question
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 21 Sep 2020 19:33:30 -0000

At some point I'm going to be among the lucky few who will be asked to
review the JWT claims registration request. One of the criteria to consider
is "whether the registration description is clear" and Logan's questions
suggest that perhaps the descriptions of these claims are not sufficiently
clear. My assumption was that the claim value for "roles", "groups" and
"entitlements" was going to be an array of strings. Trying to validate my
assumption, I went looking at the text in
and followed the reference to and, honestly, it wasn't
particularly clear to me. Maybe it's my lack of familiarity with the
details of SCIM and the language of RFC 7643. But I think that, for the
sake of clarity and interoperability, some additional specificity is

Side note: the "Section of [[this specification]]" references in
are problmatic (there is no such section in this document) and probably
should be to

On Fri, Sep 18, 2020 at 6:28 PM Vittorio Bertocci <vittorio.bertocci=> wrote:

> Hi Logan,
> Thanks for the note.
> The intent would be to present that information in the same way you would
> when querying a users/<id>, encoded in claims; hence groups would be a list
> of values representing  what groups the subject belongs to, rather than a
> list of full group definitions (with all the other members belonging to
> them, for example) which would go beyond the intended use of the
> information (supplying authorization information about the subject).
> I tried to keep the language high level as I didn’t want to duplicate SCIM
> guidance, or inadvertently narrow down the options products have to
> implement this.  If you think this is too vague, we can try to be more
> specific.
> *From: *OAuth <> on behalf of Logan Widick <
> *Date: *Wednesday, September 16, 2020 at 14:21
> *To: *"" <>
> *Subject: *[OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 question
> I took a look at Section Claims for Authorization Outside of
> Delegation Scenarios (
> and I do not understand what exactly the formats of the "roles", "groups",
> and "entitlements" claims will be.
> Will the "roles" claim be an array of strings (role names, IDs, or links),
> an array of the "roles" objects from the SCIM User schema (pages 66-67 of
> RFC 7643), or something else?
> Will the "groups" claim be an array of strings (group names, IDs, or
> links), an array of the "groups" objects from the SCIM User schema (pages
> 63-64 of RFC 7643), an array of SCIM Group schema objects (pages 69-70 of
> RFC 7643), or something else?
> Will the "entitlements" claim be an array of strings (entitlement names,
> IDs, or links), an array of the "entitlements" objects from the SCIM User
> schema (pages 65-66 of RFC 7643), or something else?
> Sincerely,
> Logan Widick
> _______________________________________________
> OAuth mailing list

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._