[OAUTH-WG] AD Review of draft-ietf-oauth-jwt-introspection-response-09

Roman Danyliw <rdd@cert.org> Fri, 21 August 2020 14:43 UTC

Return-Path: <rdd@cert.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id DD8B73A098C for <oauth@ietfa.amsl.com>; Fri, 21 Aug 2020 07:43:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id zMzp--BhE99v for <oauth@ietfa.amsl.com>; Fri, 21 Aug 2020 07:43:44 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 810973A097C for <oauth@ietf.org>; Fri, 21 Aug 2020 07:43:44 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu []) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 07LEhhtd002665 for <oauth@ietf.org>; Fri, 21 Aug 2020 10:43:43 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 07LEhhtd002665
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1598021023; bh=VAcP/ZnUkQSZFhIe3eYYlQ/KuOzOpCgEMEyhWV+sB7c=; h=From:To:Subject:Date:From; b=W8L2QmrGSdj/dgwWxF40DtIStAr7uTpR7TQX+Kr60yn5fIRCkRV0tiOTFjEyWZsWh d7traYt7CWoXQZ6iEAfm0wOobNUCPNJEXfLlp2c2gv2Iv5oW347Egm5ivdyEk5d+CU RmWHx8N1SXishFebw8sxBPeWEPFeq0NuwriXkrTY=
Received: from MORRIS.ad.sei.cmu.edu (morris.ad.sei.cmu.edu []) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 07LEhf8c037413 for <oauth@ietf.org>; Fri, 21 Aug 2020 10:43:41 -0400
Received: from MORRIS.ad.sei.cmu.edu ( by MORRIS.ad.sei.cmu.edu ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Fri, 21 Aug 2020 10:43:41 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Fri, 21 Aug 2020 10:43:41 -0400
From: Roman Danyliw <rdd@cert.org>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: AD Review of draft-ietf-oauth-jwt-introspection-response-09
Thread-Index: AdZ3yNCMMi3AzHwFQQyw6c2oHNRUWA==
Date: Fri, 21 Aug 2020 14:43:39 +0000
Message-ID: <8a42a78a8a3645f793b0991e4dd5bb34@cert.org>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6VPGZxXt12WRgXe4IXsWN7UA054>
Subject: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-introspection-response-09
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Aug 2020 14:43:46 -0000


I conducted an another AD review of draft-ietf-oauth-jwt-introspection-response-09.  As background, -07 of this document went to IESG Review and the document was brought back to the WG to address the DISCUSS points.  

Below is my feedback which can be addressed concurrently with IETF LC.

** Section 5.  I want to clarify what are the permissible members of token_introspection.  The two relevant text snippets seem to be:

(a) "token_introspection  A JSON object containing the members of the
           token introspection response, as specified in the "OAuth
           Token Introspection Response" registry established by
           [RFC7662] as well as other members."

(b) "Claims from the "JSON Web Token Claims" registry that are
           commonly used in [OpenID.Core] and can be applied to the
           resource owner MAY be included as members in the
           "token_introspection" claim."

-- Per (a), Recommend citing the IANA sub-registry directly -- https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-introspection-response (and not the "as specified in the "OAuth Token Introspection Response" registry established by [RFC7662]")

-- Per (a), "... as well as other members", what members is this referencing?  Is that (b)?  Recommend being clear upfront on which exact registries are the sources of valid members.

-- Per (b), "... commonly used in [OpenId.Core]", what are those specifically?  Is that claims registered in https://www.iana.org/assignments/jwt/jwt.xhtml#claims whose reference is [OpenID Connect Core 1.0]?  Recommend being unambiguous in which claims are permitted by pointing the IANA registry.

-- If I'm understanding right that the source comes either from oauth-parameters.xhtml#token-introspection-response or jwt.xhtml#claims, what happens if it isn't one of those?

** Section 5.  Per " The AS MUST ensure the release of any privacy-sensitive data is legally based", recommend also including a forward reference to Section 9