Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-07.txt

Tangui Le Pense <> Mon, 20 July 2020 20:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AD1503A0E93 for <>; Mon, 20 Jul 2020 13:23:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nb3dqYTh_JFt for <>; Mon, 20 Jul 2020 13:23:48 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 032A83A0E90 for <>; Mon, 20 Jul 2020 13:23:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=jpCzwmZ9bAC6KmppRbB0ydAM0rChLR4/6zMzPZotwp4=; b=eF9jlpzyI7cCI/rC8CQD2yjAotpSt51mEa8KYtDh+jmF7gLwVH0n8y+SSaCDi/AXP84jMBeUGdi4Kcu6hlINlPLJF/Wx25MsOOGH3jWN66CEI+aEzOMJLngDxo6c/Xdo32trV8FtEjM3/NWTEIuWT0s2OWxdCYQimAh5Tifgt+s=;
Received: by with esmtpa (envelope-from <>) id 1jxcK9-0004e6-IL for; Mon, 20 Jul 2020 23:23:45 +0300
References: <>
From: Tangui Le Pense <>
Message-ID: <>
Date: Mon, 20 Jul 2020 23:23:45 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Authentication-Results:; auth=pass
X-7564579A: 646B95376F6C166E
X-77F55803: 4F1203BC0FB41BD90521F83352E4771D91EDC9CB2778FA1724253D08BDDBD5E3182A05F538085040804FE27C125589B80BACCD322CA78AA22B8F642EB5EA8410B3B337150C75DD1D
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7DECE8D0A5E25C0FCEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F79006370D3D68FCEFFDD9EA8638F802B75D45FF5571747095F342E8C7A0BC55FA0FE5FC0FA58044AE02A33A696D02FA98226F8CB7BDE8874FDAF3C6389733CBF5DBD5E913377AFFFEAFD269A417C69337E82CC2CC7F00164DA146DAFE8445B8C89999725571747095F342E8C26CFBAC0749D213D2E47CDBA5A9658378DA827A17800CE7A4F00A9E8C511CEB9FA2833FD35BB23DF004C906525384309383FD4D963104D47B076A6E789B0E975F5C1EE8F4F765FC63AF70AF8205D7DCD81D268191BDAD3DBD4B6F7A4D31EC0B6941894150739B64D81D268191BDAD3D78DA827A17800CE718C383925DBD9593EC76A7562686271E8729DE7A884B61D135872C767BF85DA29E625A9149C048EE0A3850AC1BE2E735D2D576BCF940C7364AD6D5ED66289B524E70A05D1297E1BB35872C767BF85DA227C277FBC8AE2E8BC6A536F79815AD9275ECD9A6C639B01B4E70A05D1297E1BBC6867C52282FAC85D9B7C4F32B44FF57C2F2A386D11C4599BD9CCCA9EDD067B1EDA766A37F9254B7
X-C8649E89: BD18E5C6210A29DFC8F067270F1482813B3CE3A841419CAC3EDC583455B5B02DB7DFA0CDD36E7CC39F595CEF8576C34B
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojURwlcvcvMAkyvoC9i/A5hw==
X-Mailru-Sender: 583F1D7ACE8F49BD9992EFD99BFCA825CDCE00195D65A6B876FAD285F89A500AA688C376F5BFB3D8A5D2D6C63D114D6383AFC63A7763B797302201EBD47025992073CDDE12DEC8CD6F486DAF1ACEF02CC676CB43868BEEFB8FF63FEAB625EE02EAB4BC95F72C04283CDA0F3B3F5B9367
X-Mras: Ok
Archived-At: <>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-07.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Jul 2020 20:23:50 -0000


A few late remarks and questions about this version of the draft. Sorry 
if it was already answered, but I haven't found answers in the previous 

Section 2.1: in case the JWT is signed then encrypted, which jwt should 
include the "typ" parameter with the "at+jwt" value? The outer encrypted 
JWT (JWE), the inner signed JWT (JWS) or both?

Section 3: the example is missing the "iat" and "jti" fields that are 
mandatory per section 2.2:

      "iss": "",
      "sub": " 5ba552d67",
      "aud":   "",
      "exp": 1544645174,
      "client_id": "s6BhdRkqt3_",
      "scope": "openid profile reademail"

Section 4 "Validating JWT Access Tokens":

    o  If the JWT access token is encrypted, decrypt it using the keys
       and algorithms that the resource server specified during
       registration.  If encryption was negotiated with the authorization
       server at registration time and the incoming JWT access token is
       not encrypted, the resource server SHOULD reject it.

The registration details are not documented. As an RS seems to be a 
special case of an OAuth2 client (without any grant type granted, 
except, possibily, "client_credentials") I was expecting registration of 
dynamic client registration metadata similar to those for ID tokens 
(something like "access_token_signed_response_alg", 
"access_token_encrypted_response_alg" and 
"access_token_encrypted_response_enc"), and same for discovery metadata.

Is the rationale for the absence of the registration of these fields 
that RSes are not considered as OAuth2 clients?

Also, in the same section, nothing is said about the validation of "iat" 
and "jti".




27.04.2020 21:27, пишет:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>          Title           : JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
>          Author          : Vittorio Bertocci
> 	Filename        : draft-ietf-oauth-access-token-jwt-07.txt
> 	Pages           : 19
> 	Date            : 2020-04-27
> Abstract:
>     This specification defines a profile for issuing OAuth 2.0 access
>     tokens in JSON web token (JWT) format.  Authorization servers and
>     resource servers from different vendors can leverage this profile to
>     issue and consume access tokens in interoperable manner.
> The IETF datatracker status page for this draft is:
> There are also htmlized versions available at:
> A diff from the previous version is available at:
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at
> Internet-Drafts are also available by anonymous FTP at:
> _______________________________________________
> OAuth mailing list