Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-jwsreq
John Bradley <ve7jtb@ve7jtb.com> Thu, 01 November 2018 12:45 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FDBD126DBF for <oauth@ietfa.amsl.com>; Thu, 1 Nov 2018 05:45:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2FhW4wIfA38 for <oauth@ietfa.amsl.com>; Thu, 1 Nov 2018 05:45:41 -0700 (PDT)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBD8212D4F1 for <oauth@ietf.org>; Thu, 1 Nov 2018 05:45:40 -0700 (PDT)
Received: by mail-wr1-x431.google.com with SMTP id d10-v6so19964239wrs.5 for <oauth@ietf.org>; Thu, 01 Nov 2018 05:45:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=N60qlvLy+4YQTSZZrmlX9x6K+ed+YRyyjCzmTn/odIg=; b=ONebYo6epv8oayOoq1vq/WfvGX8eeupq6dSvS/iuafq7E3AT7Mvyew9L22KtwaNbwn kJW9rulukcjrkRt48uLlenwWREUF5SaV9s3HoFv+2ZhjUwhlGXGq6QH0B/S7L4S+ziLQ MYJZKHDWbQIIgtfkzkW/+lq6BlTn8PQkaaETiz8LLb0l5TCcfDBa5jp/072MjWB5WAWn N60MMw/LhRvomz/F1N0yetzCUEe2mjGpSoJyOYhJtZOH0UEcZ3Zdhi8/kMOE0wUeu6nC nLxx+23EsJuZ58TNknvg6Ayb1IzI//nbkiiIwXAUxHzi6RaGxgt0w8BCLj3t7FtSln9r 5hyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=N60qlvLy+4YQTSZZrmlX9x6K+ed+YRyyjCzmTn/odIg=; b=gOCLXRf3TPRmgAOGuY+hKOmgTB1QU/bAIkpeHa6lgjyhTNGs6yU011TOZT/AKiawN/ tjOgoJMAdc5tv00+LhSvTodgPVKkpnQYYIiG63itLy3xpAZaQVLbXpfugmEhkjeklve0 ASX+waVVxmcVZdVUQLZecbeGhCdJ6dVAaPBhL9gWhJcp9U2g5g3p/pSZ45cjJSzp6byb PTJgd1jsCyNlC2owElYIKJDvLmucMudr4aQrnB8I28t70iBdzcb7iutYraV742fwdYhW D21BKIDRqyC1/XdgaY6nxPLuUxjog+aDIUQBG1W6PZiJ/5a5CFOOaWm0j0RP39PdMu0k 6VAg==
X-Gm-Message-State: AGRZ1gJ9NGDEYm51TZprPs3NFIczq+0vsY4yNjNGjGsxeg0fLe9DcseW d07eNH/oCcEUGoCVaQAgm49QRlphXAKOFxY+y3Em/g==
X-Google-Smtp-Source: AJdET5frSWiEFSLWp15lHo7a0eXMoXdN6WINfPUpVCdevCdoAKnlZTDgc2rtTuNEAbuFSyODjkjT4qQTe5den+5wKgI=
X-Received: by 2002:adf:ce06:: with SMTP id p6-v6mr6877552wrn.324.1541076338383; Thu, 01 Nov 2018 05:45:38 -0700 (PDT)
MIME-Version: 1.0
References: <04d301d4712f$08bf8dc0$1a3ea940$@augustcellars.com> <MW2PR00MB0298547452BD260483C0CC50F5CD0@MW2PR00MB0298.namprd00.prod.outlook.com> <04e401d471b1$2c1bb370$84531a50$@augustcellars.com>
In-Reply-To: <04e401d471b1$2c1bb370$84531a50$@augustcellars.com>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Thu, 01 Nov 2018 09:45:23 -0300
Message-ID: <CAANoGh+f09zdHcNmg+v-xOoZGHkp5QKfTytbLDEGDnKiK0x64w@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: Michael Jones <Michael.Jones@microsoft.com>, draft-ietf-oauth-jwsreq@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b8bb4c057999cba2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2Fu7T6ACfDTaKkbyVI00j-4nf6Y>
Subject: Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-jwsreq
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2018 12:45:44 -0000
The JWT was done by the OAuth WG. Some wanted it to be core to OAuth and others wanted it to be entirely optional so that people would not feel obligated to use it for access tokens. JWT is used in a number of OAuth specs now and provides consistency for some common elements like issuer , audience, and expiery. Yes we could have started from JWS and redefined those elements but would then need another IANA registry. Perhaps I am not understanding what you are getting at. John B. On Thu, Nov 1, 2018, 4:04 AM Jim Schaad <ietf@augustcellars.com wrote: > Ok – I’ll ask the questions explicitly. > > > > What additional features do you get from the claims that are already > defined for a JWT. > > > > How do these features relate to the original problem statement of needing > encryption and origination? > > > > Why are these not features that should be in the base OAuth design and > thus part of the OAuth registry? > > > > Jim > > > > > > *From:* Mike Jones <Michael.Jones@microsoft.com> > *Sent:* Wednesday, October 31, 2018 9:18 AM > *To:* Jim Schaad <ietf@augustcellars.com>; > draft-ietf-oauth-jwsreq@ietf.org > *Cc:* 'oauth' <oauth@ietf.org> > *Subject:* RE: [OAUTH-WG] Mail regarding draft-ietf-oauth-jwsreq > > > > JWT defines a number of standard claims that are used in this application, > including "iss" (issuer), "aud" (audience), etc. Making the requests a JWT > allows code reuse, rather than having an application-specific signed > request representation that has many of the semantics and fields of a JWT > anyway. > > > > It's also worth noting that this practice has been a standard since 2014. > OpenID Connect Core standardized the OAuth signed request format in > https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests. The > draft-ietf-oauth-jwsreq > <https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17> spec is the > OAuth-only version of this already standard and deployed practice. > (There's other precedents for OAuth subsetting standard OpenID Connect > functionality. For instance, RFC 8414 > <https://tools.ietf.org/html/rfc8414> is the OAuth-specific subset of the > metadata format defined by OpenID Connect Discovery > <https://openid.net/specs/openid-connect-discovery-1_0.html>.) > > > > -- Mike > > > > -----Original Message----- > From: OAuth <oauth-bounces@ietf.org> On Behalf Of Jim Schaad > Sent: Wednesday, October 31, 2018 8:33 AM > To: draft-ietf-oauth-jwsreq@ietf.org > Cc: 'oauth' <oauth@ietf.org> > Subject: [OAUTH-WG] Mail regarding draft-ietf-oauth-jwsreq > > > > As part of looking at the issues of using CWTs for this purpose I did some > more reading of the document. I am having a problem with the understanding > the reasons for using JWT as opposed to just saying that you are going to > use JWS and JWE. There is nothing in this section that I can see that > points to a reason to be using JWTs as the carrier. What am I missing? > > > > Jim > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth >