Re: [OAUTH-WG] oauth-access-token-jwt: comments and clarifications
Benjamin Kaduk <kaduk@mit.edu> Thu, 08 April 2021 19:14 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F7013A17F7 for <oauth@ietfa.amsl.com>; Thu, 8 Apr 2021 12:14:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VmNlQYxgTp8Z for <oauth@ietfa.amsl.com>; Thu, 8 Apr 2021 12:14:19 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 740E93A17F6 for <oauth@ietf.org>; Thu, 8 Apr 2021 12:14:19 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 138JECFf000447 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 8 Apr 2021 15:14:16 -0400
Date: Thu, 08 Apr 2021 12:14:11 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Roberto Polli <robipolli@gmail.com>
Cc: oauth <oauth@ietf.org>
Message-ID: <20210408191411.GU79563@kduck.mit.edu>
References: <CAP9qbHURF22ehJfQ3=8v1X07wueAcBUFG4HUq6KYda8NA+3=nw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAP9qbHURF22ehJfQ3=8v1X07wueAcBUFG4HUq6KYda8NA+3=nw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1b4IODkk3KRDUViS8EeNQMTXruY>
Subject: Re: [OAUTH-WG] oauth-access-token-jwt: comments and clarifications
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Apr 2021 19:14:21 -0000
Hi Roberto, On Fri, Apr 02, 2021 at 11:55:27AM +0200, Roberto Polli wrote: > Hi Vittorio et al, > > some considerations on oauth access token jwt follows. > You can see them here too > https://docs.google.com/document/d/1XsvBzGvhcY0N6vJNgLx6G1dJ5trvgwYRJA9F_NCakbU/edit > > An example with client_credential grant type would be nice too. > > My 2¢, > R. > > § 1.2 Terminology > > + The terms "Collision-Resistant", is used according to Section 2 of > {{JWT}}. > > §2.1 Header > > - mentioning "none" alg can be redundant. I'd reference all the JWT BCP > instead. > - I'd add an example header, eg > > ~~~ example > > { > > "typ": "at+jwt", > > "alg": "PS256" > > } > > ~~~ > > > § 2.2.1 Authentication Information Claims > > Is it worth mentioning the "implicit flow"? > > §2.2.2 Identity Claims > > - use the "Collision-Resistant" definition in {{JWT}} > > §2.2.3 Authorization Claims > > - " ... scope parameter..." should `scope` be quoted? > - "All the individual scope strings in the "scope" claim MUST have meaning > for the resources indicated in the "aud" claim." > ^ otherwise the error returned is ...? Should we reference §4 here? > > §2.2.3.1 Claims for Authorization Outside of Delegation Scenarios > - which are the delegated scenarios described in RFC7519? Do you refer to > "When using an administratively delegated > namespace" ? It is not clear to a first-reader. > > §3 Requesting a JWT Access Token > - an example with `client_credential` grant type would be great. > - iiuc `jti` is required, the example does not report it. That's a very good catch; thank you! -Ben > §4 Validating JWT Access Tokens > > - the step about forbidding "none" is limitative WRT JWT BCP 8725 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] oauth-access-token-jwt: comments and c… Roberto Polli
- Re: [OAUTH-WG] oauth-access-token-jwt: comments a… Benjamin Kaduk
- Re: [OAUTH-WG] oauth-access-token-jwt: comments a… Vittorio Bertocci