[OAUTH-WG] FW: New Version Notification for draft-ietf-oauth-access-token-jwt-06.txt

Vittorio Bertocci <vittorio.bertocci@auth0.com> Wed, 15 April 2020 07:25 UTC

Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF5883A1077 for <oauth@ietfa.amsl.com>; Wed, 15 Apr 2020 00:25:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FKCtbHblKrP3 for <oauth@ietfa.amsl.com>; Wed, 15 Apr 2020 00:25:44 -0700 (PDT)
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B1353A1075 for <oauth@ietf.org>; Wed, 15 Apr 2020 00:25:44 -0700 (PDT)
Received: by mail-pl1-x62f.google.com with SMTP id h11so925668plr.11 for <oauth@ietf.org>; Wed, 15 Apr 2020 00:25:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=from:to:subject:thread-topic:thread-index:date:message-id :references:accept-language:content-language:mime-version; bh=JGYMjKL1xyxjrXkuW9nSW/HtKFkvJhiqO23pMPCX1TE=; b=lBKSHCbhF6SfDPb5HaXaLYSREdjfWRjZjrdLBB0QmXrzmly+5EBMNpHP9JC9uqE1Rd 9Mdg2QLpwBtjRpHFBlwgHUDLzmnoZLdrsFY4zvi3aq13sqZVMqWglZ/jMMaEjpU7r+rf GzrxjxstalHPjNdGNxKrsdEVqyjMkWVXRo39gZsO1X4nwPXMeui6OCcBHDt20JqQ0P9Z isfIe5KLUw5OQNa7l2N3Q3xOgWCmGLYmS7Rrdq3eeJSScmaE9ALQPWbdPnC7bKVeE3Nc ZBW6uyd89KxdUGQSlHYHfnQMGhFP43KJ+eA/sN60q4eEkhfs76p3NIBgHe7TMRZj4Pby ChYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:references:accept-language:content-language:mime-version; bh=JGYMjKL1xyxjrXkuW9nSW/HtKFkvJhiqO23pMPCX1TE=; b=BG1xGhzPfLHGIHgp3k8Ujs8JxYeyA5dxHeQaqWKHZXhKTGVV0WsBwcvMzUhGoz8nk6 G9YYAdqfwJh+Bfz1F8QtOu2EnhrAj0plnX1q4C3tXPbBmiaWEhYBpMxJTUm1ILSuuFJn CaW87TX3BHkkZfYH5qKaVTExkuJ8uF9iwSWoyTeSz+WNxEThfPGh+7wz2YRdcR+a7ZEx fylm5hUcC0I5jZ6wRz+23EgZtlCAlwvQ4F3woKcwTXQEbf2xm0USFczgzNTkObopGWSu Subig+0LNIcYT6s4SCbQFD8C4HmNp2uUPlf6jFpMH02UI37sJHeYTh50CcwHLhySuLDH M7yA==
X-Gm-Message-State: AGi0PuYvvCtp26onuy1XGl3M7bqaym3sqoEI47i7Yc+L4PkQ1RhXDodL ucYQrTV6XFET8I8hAZqFwHwuPksIsB2DwZLatKpujGarwyC7iJtl3ncjFpYlYKcPjO74QLjfmnN x1PMexWK+/FxqtoQ4eqYbdd4cMM5EXYaHJ83F515cHEQDrlCtDQJLJ35/LC3jQ2y8eA==
X-Google-Smtp-Source: APiQypJk9t0LKtxWXTjIZPEJbbkNAMVgjb7AGGNRTxabjH8ZREJryDB8sVt4a4lKEBOz+pFIJKqYOw==
X-Received: by 2002:a17:90a:324f:: with SMTP id k73mr4786438pjb.195.1586935543015; Wed, 15 Apr 2020 00:25:43 -0700 (PDT)
Received: from MWHPR19MB1501.namprd19.prod.outlook.com ([2603:1036:120:1d::5]) by smtp.gmail.com with ESMTPSA id 203sm13136589pfz.217.2020.04.15.00.25.42 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Apr 2020 00:25:42 -0700 (PDT)
From: Vittorio Bertocci <vittorio.bertocci@auth0.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: New Version Notification for draft-ietf-oauth-access-token-jwt-06.txt
Thread-Index: ATc1NDMwsbLYfWauTuWBQ3go8g+ryA==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Wed, 15 Apr 2020 07:25:41 +0000
Message-ID: <MWHPR19MB1501E14E85781281CA327CC8AEDB0@MWHPR19MB1501.namprd19.prod.outlook.com>
References: <158693500043.13234.5281466444356484617@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_MWHPR19MB1501E14E85781281CA327CC8AEDB0MWHPR19MB1501namp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/puB_PEkICulefYFvK6emG1l0ge0>
Subject: [OAUTH-WG] FW: New Version Notification for draft-ietf-oauth-access-token-jwt-06.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2020 07:25:46 -0000

Dear all,

Thanks again for the constructive discussions leading to, during and following the Virtual interim meeting on Monday.

I uploaded a new draft reflecting the changes we discussed- here’s a summary:



Changes discussed during  the interim meeting:

   o  In Section 2.2.3<https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06#section-2.2.3> and Section 3<https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06#section-3> eliminated language prohibiting JWT AT requests featuring multiple resources, substituting it with the

      prohibition for the AS to emit JWT ATs expressing ambiguous authorization grants.  In Section 5<https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06#section-5>-5>, added language warning against scope confusion and mentioned the existence of other ambiguous authorization grant.

   o  In Section 2.2<https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06#section-2.2> promoted claims iat and jti from RECOMMENDED to REQUIRED.



Changes from the subsequent follow ups:

·         In Section 2.2<https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06#section-2.2> and Section 6<https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06#section-6> added a discussion about how different sub values affect the privacy properties of a solution.



Thanks

V.









On 4/15/20, 00:16, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote:





    A new version of I-D, draft-ietf-oauth-access-token-jwt-06.txt

    has been successfully submitted by Vittorio Bertocci and posted to the

    IETF repository.



    Name:                              draft-ietf-oauth-access-token-jwt

    Revision:          06

    Title:                  JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

    Document date:           2020-04-14

    Group:                              oauth

    Pages:                               19

    URL:            https://www.ietf.org/internet-drafts/draft-ietf-oauth-access-token-jwt-06.txt

    Status:         https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/

    Htmlized:       https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06

    Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-oauth-access-token-jwt

    Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-access-token-jwt-06



    Abstract:

       This specification defines a profile for issuing OAuth 2.0 access

       tokens in JSON web token (JWT) format.  Authorization servers and

       resource servers from different vendors can leverage this profile to

       issue and consume access tokens in interoperable manner.









    Please note that it may take a couple of minutes from the time of submission

    until the htmlized version and diff are available at tools.ietf.org.



    The IETF Secretariat