Re: [OAUTH-WG] JWT - scope claim missing
prateek mishra <prateek.mishra@oracle.com> Mon, 11 March 2013 20:27 UTC
Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FF5421F900F for <oauth@ietfa.amsl.com>; Mon, 11 Mar 2013 13:27:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5dA9GGLDaX2 for <oauth@ietfa.amsl.com>; Mon, 11 Mar 2013 13:27:51 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 9C99321F8E67 for <oauth@ietf.org>; Mon, 11 Mar 2013 13:27:51 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r2BKRnkY012676 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 11 Mar 2013 20:27:49 GMT
Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r2BKRmrE010258 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 11 Mar 2013 20:27:48 GMT
Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id r2BKRmEP003290; Mon, 11 Mar 2013 15:27:48 -0500
Received: from [130.129.23.121] (/130.129.23.121) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 11 Mar 2013 13:27:47 -0700
Message-ID: <513E3E5D.4020006@oracle.com>
Date: Mon, 11 Mar 2013 16:28:13 -0400
From: prateek mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130215 Thunderbird/17.0.3
MIME-Version: 1.0
To: oauth@ietf.org, sakimura@gmail.com
References: <0EC2404F-E3C5-4AD1-88B4-E74AA0394DD9@gmx.net> <C75E4871-E907-4EF7-BAF0-9D1A172D581B@ve7jtb.com> <CA6A6425-D0CE-469F-B51E-9F296DA8041C@oracle.com> <CA+k3eCREgN+6z+U=jjJcPo0nZVR0GWn5zXeecZRO+rg=xd-gZg@mail.gmail.com> <A2375FE9-946F-46B3-9356-0709DD56BD4A@ve7jtb.com> <48FD87D1-4DF4-4289-99B7-40A515F31890@oracle.com> <3E472720-31A4-40A0-AAA4-402CF850831A@ve7jtb.com> <7127843B-D7B0-4AB6-87F1-1604D1EFFA79@oracle.com> <50DA292F-32F0-4266-8401-006AD837B775@ve7jtb.com> <CA+k3eCSyE3cPMh17XuivbUZUtHY=RAtjV1UeCdW6gGFk+gv02A@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A948D58BEE@BY2PRD0411MB441.namprd04.prod.outlook.com> <CA+k3eCSD3EqtNC0Z--+HKwENW9pbzCNGp2_LyVp0bAphvThnRA@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A948D58DC0@BY2PRD0411MB441.namprd04.prod.outlook.com> <CABzCy2D=DTes1HZumJVURdoLVz9KgxAFXqe_fKydd8VYSgCUrA@mail.gmail.com>
In-Reply-To: <CABzCy2D=DTes1HZumJVURdoLVz9KgxAFXqe_fKydd8VYSgCUrA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------050409000600020808010004"
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Subject: Re: [OAUTH-WG] JWT - scope claim missing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2013 20:27:57 -0000
Nat - I think this kind of document ("JWT profile of the OAuth access token") would be very helpful to the community (+1 to Adam's comment). IMO there may be value in keeping it separate from the introspection draft which is a kind of API for validating/querying assertion contents. My guess is that developers/deployers will use one of these two approaches, not both. - prateek > So, it is soooo late in the game: I have been completely underwater to > even read the OAuth mails for about a month and slowly catching up now. > > Here is an I-D that I have created partly in response to the RS-AS > interaction piece that was talked about at IETF 85. > It does not have 'scope' and has 'claims' instead as it was based on > OpenID Connect, but it is easy to add, provided that the scopes are to > be understood as that of the 'aud'. > > http://tools.ietf.org/id/draft-sakimura-oidc-structured-token-01.txt > > Best, > > Nat > > 2013/3/1 Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com > <mailto:Adam.Lewis@motorolasolutions.com>> > > Hmmm, I'm not so sure. It depends where we all think OAuth is on > its trajectory. On one hand, OAuth has already seen an insanely > massive amount of deployment. On the other hand, RESTful APIs see > no sign of slowing down. Now I'm not going to go so far as Craig > B. and say that everything and everyone will be API enabled in the > future, but it sure is going to be a lot. That being said, one > could argue that even with all the OAuth implementation we've > seen, that this is just the infancy of it. Obviously a WG profile > of a JWT-structured AT could not deprecate other forms > (unstructured, SAML, etc.) but going forward new developers may > choose to embrace this, and in fact this could even be the > guidance. I agree with previous comments that Justin's > introspection draft might be a good place to explore this. > > adam > > *From:*Brian Campbell [mailto:bcampbell@pingidentity.com > <mailto:bcampbell@pingidentity.com>] > *Sent:* Thursday, February 28, 2013 1:36 PM > *To:* Lewis Adam-CAL022 > *Cc:* John Bradley; oauth@ietf.org <mailto:oauth@ietf.org> WG > > > *Subject:* Re: [OAUTH-WG] JWT - scope claim missing > > I do agree that a WG profile of a JWT-structured access token > could lend itself to interoperability and ultimately be a useful > thing. But you are right that there already are many > implementations out there in the wild (heck, I've written one > myself) and that might make it difficult to standardize on something. > > Because of that, and many other reasons, I don't want to try and > add that to existing assertion drafts. > > On Thu, Feb 28, 2013 at 12:13 PM, Lewis Adam-CAL022 > <Adam.Lewis@motorolasolutions.com > <mailto:Adam.Lewis@motorolasolutions.com>> wrote: > > Hi Brian, a few thoughts from somebody outside of the WG ... > > As a newcomer to OAuth last year, I was initially confused by the > titles. It was confusing because we have SAML bearer > **assertions** and JWT bearer **tokens** ... and as John just > (begrudgingly) stated in this thread, the JWT is being used as an > assertion in this profile (and in OIDC). I think it will be > difficult to find a good name for these profiles since they do two > entirely different things (e.g. define a new grant type and define > a new method of client authentication). One could argue that as > long as the WG is at it, then why not add a third section to the > JWT profile, which talks about usage of JWT-structured bearer > access tokens: it would not be any less related than the other two > focuses of the doc. Then the document could be called something > simple like "profiles of JWT usage in OAuth" or something like that. > > On one hand, it is probably naïve to think that an access token > can be standardized in a profile given how many have already been > released into the wild, but on the other hand, a WG profile of a > JWT-structured access token could lend itself to interoperability, > where AS implementations can advertise conformance to the profile > and who knows ... maybe the RS's of the future will be good with > this. > > adam > > *From:*oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> > [mailto:oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>] > *On Behalf Of *Brian Campbell > *Sent:* Thursday, February 28, 2013 1:03 PM > *To:* John Bradley > *Cc:* oauth@ietf.org <mailto:oauth@ietf.org> WG > > > *Subject:* Re: [OAUTH-WG] JWT - scope claim missing > > I'm not sure anyone really "picked" the titles for the bearer > token profiles. They just kind of evolved. And evolved in funny > ways especially when client authn to the AS was added. > > You won't hear me argue that the titles are "good" and this is not > the first time there's been confusion about what they actually do. > They define new grant types and new client authentication methods. > They *do not* define an access token format or anything else about > access tokens. JWT and SAML could be used for that but that's not > what these drafts do. > > Suggestions for better title(s) would be more than welcome. > > Here's what they are now: > > > SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 > draft-ietf-oauth-saml2-bearer > > JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 > draft-ietf-oauth-jwt-bearer > > Assertion Framework for OAuth 2.0 > draft-ietf-oauth-assertions > > On Thu, Feb 28, 2013 at 11:36 AM, John Bradley <ve7jtb@ve7jtb.com > <mailto:ve7jtb@ve7jtb.com>> wrote: > > Yes the title likely adds to the confusion given that the bearer > tokens are not access tokens. > > Things as separate from OAuth as the Firefox browerID spec use JWS > signed JWTs. > > The bearer token profiles for OAuth 2 are for OAuth2. > > The JSON Web Token (JWT) > <http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06> spec > did not start in OAuth and is not OAuth specific. > > A JWT is: > > JSON Web Token (JWT) A string representing a set of claims as a JSON > > object that is encoded in a JWS or JWE, enabling the claims to be > > digitally signed or MACed and/or encrypted. > > So OAuth or other profiles may define claims to go in a JWT, but > the JWT needs to itself only define the claims necessary for > security processing. > > John B. > > PS that was a soft ball If you hadn't responded I would have been > disappointed. I din't pick the title for the bearer token profiles. > > On 2013-02-28, at 10:12 AM, Phil Hunt <phil.hunt@oracle.com > <mailto:phil.hunt@oracle.com>> wrote: > > > JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 > > > Note the title says "for OAuth2" > > Sorry. Couldn't resist. > > Phil > > Sent from my phone. > > > On 2013-02-28, at 9:40, John Bradley <ve7jtb@ve7jtb.com > <mailto:ve7jtb@ve7jtb.com>> wrote: > > JWT is an assertion( I am probably going to regret using that > word). > > It is used in openID connect for id_tokens, it is used in > OAuth for Assertion grant types and authentication of the > client to the token endpoint. > > http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-04 > > > > > > > JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 > > Dosen't define JWT's use for access tokens for the RS. > > Bottom line JWT is for more than access tokens. > > John B. > > On 2013-02-28, at 9:28 AM, Phil Hunt <phil.hunt@oracle.com > <mailto:phil.hunt@oracle.com>> wrote: > > Are you saying jwt is not an access token type? > > Phil > > Sent from my phone. > > > On 2013-02-28, at 8:58, John Bradley <ve7jtb@ve7jtb.com > <mailto:ve7jtb@ve7jtb.com>> wrote: > > Yes, defining scope in JWT is the wrong place. JWT needs > to stick to the security claims needed to process JWT. > > I also don't know how far you get requiring a specific > authorization format for JWT, some AS will wan to use a > opaque reference, some might want to use a user claim or > role claim, others may use scopes, combining scopes and > claims is also possible. > > Right now it is up to a AS RS pair to agree on how to > communicate authorization. I don't want MAC to be more > restrictive than bearer when it comes to authorization > between AS and RS. > > Hannes wanted to know why JWT didn't define scope. The > simple answer is that it is out of scope for JWT itself. > It might be defined in a OAuth access token profile for > JWT but it should not be specific to MAC. > > John B. > > On 2013-02-28, at 8:44 AM, Brian Campbell > <bcampbell@pingidentity.com > <mailto:bcampbell@pingidentity.com>> wrote: > > I think John's point was more that scope is something > rather specific to an OAuth access token and, while JWT is > can be used to represent an access token, it's not the > only application of JWT. The 'standard' claims in JWT are > those that are believed (right or wrong) to be widely > applicable across different applications of JWT. One could > argue about it but scope is probably not one of those. > > It would probably make sense to try and build a profile of > JWT specifically for OAuth access tokens (though I suspect > there are some turtles and dragons in there), which might > be the appropriate place to define/register a scope claim. > > On Thu, Feb 28, 2013 at 9:24 AM, Phil Hunt > <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote: > > Are you advocating TWO systems? That seems like a bad choice. > > I would rather fix scope than go to a two system approach. > > Phil > > Sent from my phone. > > On 2013-02-28, at 8:17, John Bradley <ve7jtb@ve7jtb.com > <mailto:ve7jtb@ve7jtb.com>> wrote: > > > While scope is one method that a AS could communicate > authorization to a RS, it is not the only or perhaps even > the most likely one. > > Using scope requires a relatively tight binding between > the RS and AS, UMA uses a different mechanism that > describes finer grained operations. > > The AS may include roles, user, or other more abstract > claims that the the client may (god help them) pass on to > EXCML for processing. > > > > While having a scopes claim is possible, like any other > claim it is not part of the JWT core security processing > claims, and needs to be defined by extension. > > > > John B. > > On 2013-02-28, at 2:29 AM, Hannes Tschofenig > <hannes.tschofenig@gmx.net > <mailto:hannes.tschofenig@gmx.net>> wrote: > > > >> Hi Mike, > >> > >> when I worked on the MAC specification I noticed that > the JWT does not have a claim for the scope. I believe > that this would be needed to allow the resource server to > verify whether the scope the authorization server > authorized is indeed what the client is asking for. > >> > >> Ciao > >> Hannes > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org <mailto:OAuth@ietf.org> > >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- [OAUTH-WG] JWT - scope claim missing Hannes Tschofenig
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Hannes Tschofenig
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Justin Richer
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Justin Richer
- Re: [OAUTH-WG] JWT - scope claim missing Mike Jones
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing prateek mishra
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Mike Jones
- Re: [OAUTH-WG] JWT - scope claim missing Nat Sakimura
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Nat Sakimura
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Eve Maler
- Re: [OAUTH-WG] JWT - scope claim missing Richer, Justin P.
- Re: [OAUTH-WG] JWT - scope claim missing prateek mishra