Re: [OAUTH-WG] DPoP JWT claims
Neil Madden <neil.madden@forgerock.com> Thu, 16 June 2022 21:32 UTC
Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A2EFC15AE2D for <oauth@ietfa.amsl.com>; Thu, 16 Jun 2022 14:32:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2DTq2NIQmB6q for <oauth@ietfa.amsl.com>; Thu, 16 Jun 2022 14:32:47 -0700 (PDT)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63720C14F6EB for <oauth@ietf.org>; Thu, 16 Jun 2022 14:32:47 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id s12so5144871ejx.3 for <oauth@ietf.org>; Thu, 16 Jun 2022 14:32:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=kSK/pvZ31Auxilf2xMAcC01o+ZcxSwRpwGCiAb1oD8o=; b=U6HWHYiWUqbFixZu+iIIJ3YPHCZ4NlfO+JPPnbCx0o077KXo+/OaCXAa3I78gvXJai nIFenyuM+/kb0UyAYzjKf2tMSqkkkPPA+4usJDm1Rp+oLN4stBaycAe1eBy8Mx15Hv+J 59xVw9nZ6AVRCDoMbWpZwvuM9Kc+S4vA4jqR0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=kSK/pvZ31Auxilf2xMAcC01o+ZcxSwRpwGCiAb1oD8o=; b=7q/kCxRR54MilWorD54kcHY7565MpVO4jCRo4VmttEeIO6ZbyVHhJxKjZjqDYt2Yrg +SM/gTMMUhdvYQ+sKzKJ6+CqmFnnaKXju5MliHvZ1YJhQyjXiDjpHkmRVxVQ5kfu1XFl EIKMQMjroHYof4Fc1ZNlzt9DcW15Rj8L9nU4+R5mYeA2C6ADaY1umR/mF68QuepjnYXz jOSDpe/A6te6SccfRT+s9L027kts8mZmctJWAtfUolsuaPuG8ZVirj0so3sxlN4lsx0R 87/SFadf2JSIjYoBUW/CM41CX30iReZjjrfBcNeqDKvK/CaSvtY7AXUa/Pqsek0lVn8f elLQ==
X-Gm-Message-State: AJIora+fjS2uByvMKtSIm7e/2hv0Z+hMudUeRzndrP5XJECw3PuHlBbi c2yMWoiQt3SYn12+zUy+Aqye6e484FmcWg==
X-Google-Smtp-Source: AGRyM1su1FxR2ojkaQLk523SbdhUXqUebto/9Yc6B0FgfuHwk6D60mdPwlJ01/divFvj5c12cC6Q9w==
X-Received: by 2002:a17:906:7308:b0:710:dad0:f56d with SMTP id di8-20020a170906730800b00710dad0f56dmr6135785ejc.691.1655415165535; Thu, 16 Jun 2022 14:32:45 -0700 (PDT)
Received: from smtpclient.apple (181.213.93.209.dyn.plus.net. [209.93.213.181]) by smtp.gmail.com with ESMTPSA id a23-20020a1709063a5700b0070efa110afcsm1228360ejf.83.2022.06.16.14.32.44 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 16 Jun 2022 14:32:45 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-D665E17B-B5B4-4641-982F-66BE0FE5DE5E"
Content-Transfer-Encoding: 7bit
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Thu, 16 Jun 2022 22:32:43 +0100
Message-Id: <86DAF05C-BB10-49AA-8B1B-E19E8A410624@forgerock.com>
References: <CAD9ie-siSJZ-8OUFhHKdWY=ZT7r=6GaBAu8LWBs3J4BoqTCtqQ@mail.gmail.com>
Cc: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>, oauth <oauth@ietf.org>
In-Reply-To: <CAD9ie-siSJZ-8OUFhHKdWY=ZT7r=6GaBAu8LWBs3J4BoqTCtqQ@mail.gmail.com>
To: Dick.Hardt@gmail.com
X-Mailer: iPhone Mail (19F77)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3bW-vNutJvHVDGFAvaKg2LZ3dwg>
Subject: Re: [OAUTH-WG] DPoP JWT claims
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2022 21:32:51 -0000
Is that actually true? The DPoP spec itself is a case in point: it reuses the existing OIDC “nonce” claim but explicitly says that DPoP nonces are not like OIDC nonces (section 9): “ Developers should also take care to not confuse DPoP nonces with the OpenID Connect [OpenID.Core] ID Token nonce.” The official IANA registration of “nonce” says: Value used to associate a Client session with an ID Token Does this matter? If not, does it matter if some other spec defines a “htm” claim with different meaning? > On 16 Jun 2022, at 20:50, Dick Hardt <dick.hardt@gmail.com> wrote: > > > Registering the names provides clarity on use and avoids confusion on the meaning of a claim — ie two specs won’t have conflicting definitions of “htm” > >> On Thu, Jun 16, 2022 at 10:20 AM Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org> wrote: >> I think the registration really helps with discovery, especially as an implementer. When you see or observe these claims in a JWT, you can google them potentially returning no results. If you know about the IANA registry you can find them, even if you don't know that the tokens have anything to do with DPoP. >> >>> On Thu, Jun 16, 2022 at 6:21 PM Neil Madden <neil.madden@forgerock.com> wrote: >>> The DPoP spec registers the “htm”, “htu”, and “ath” claims [1]. But do these claims actually make sense outside of a DPoP proof? Presumably the risk of naming collision within a DPoP proof is pretty small, so is there any benefit to registering them rather than just using them as private claims? >>> >>> (I guess I could ask the same question about lots of other entries in the current registry at IANA, many of which look completely app-specific to me). >>> >>> [1]: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-12.7 >>> >>> — Neil >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] DPoP JWT claims Neil Madden
- Re: [OAUTH-WG] DPoP JWT claims Warren Parad
- Re: [OAUTH-WG] DPoP JWT claims Dick Hardt
- Re: [OAUTH-WG] DPoP JWT claims Neil Madden
- Re: [OAUTH-WG] DPoP JWT claims Brian Campbell
- Re: [OAUTH-WG] DPoP JWT claims Dick Hardt
- Re: [OAUTH-WG] DPoP JWT claims Benjamin Kaduk
- Re: [OAUTH-WG] DPoP JWT claims Brian Campbell