IETF Logo Mail Archive

Re: [OAUTH-WG] JWT - scope claim missing

Brian Campbell <bcampbell@pingidentity.com> Thu, 28 February 2013 19:25 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B704121F8519 for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 11:25:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.907
X-Spam-Level:
X-Spam-Status: No, score=-5.907 tagged_above=-999 required=5 tests=[AWL=0.069, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dgyrMoz1dsjq for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 11:25:03 -0800 (PST)
Received: from na3sys009aog122.obsmtp.com (na3sys009aog122.obsmtp.com [74.125.149.147]) by ietfa.amsl.com (Postfix) with ESMTP id C39C021F8501 for <oauth@ietf.org>; Thu, 28 Feb 2013 11:25:02 -0800 (PST)
Received: from mail-ob0-f199.google.com ([209.85.214.199]) (using TLSv1) by na3sys009aob122.postini.com ([74.125.148.12]) with SMTP ID DSNKUS+vDnZFRZp4PtbmTC2zqlfqdtTA47M1@postini.com; Thu, 28 Feb 2013 11:25:02 PST
Received: by mail-ob0-f199.google.com with SMTP id wd20so2000158obb.6 for <oauth@ietf.org>; Thu, 28 Feb 2013 11:25:02 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=BxaUrJmrhPFsm3lcTPKZMV63YyT799hB7vFYsCZ01xQ=; b=CExtaGsM4TV3yF2/wdbycoATD+n6oA5hKckP5TWSw4WBzlPzXSiebV32cbr965RGtx cmUn/6tOy5SmTkQOV+QsxNTkoVM60vueN+yt79FiR7A6xeeW2YR5mFAUP0Fg4virYHm0 r11AujqPL4SS2CGJP6DNbsd6nXOj+VihBg3pvQraO5uVRaHuOJT3q8hdyRF2kWN/FE0M 5r1bj9JB+kSMWxoSPXQ3xAVQhKf4q9jWvvWsKIPyXguNpS9pdJDkzP19L3dc1U9h4huH QNQKY5LwXdAWsz1Jv0xaxdgozqesi26NAaGHffn7FRMIFir7ZapaCl1Pynx5oxtY5KMO xiMA==
X-Received: by 10.50.151.179 with SMTP id ur19mr10855482igb.79.1362079501785; Thu, 28 Feb 2013 11:25:01 -0800 (PST)
X-Received: by 10.50.151.179 with SMTP id ur19mr10855472igb.79.1362079501644; Thu, 28 Feb 2013 11:25:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.32.106 with HTTP; Thu, 28 Feb 2013 11:24:31 -0800 (PST)
In-Reply-To: <CA+k3eCSyE3cPMh17XuivbUZUtHY=RAtjV1UeCdW6gGFk+gv02A@mail.gmail.com>
References: <0EC2404F-E3C5-4AD1-88B4-E74AA0394DD9@gmx.net> <C75E4871-E907-4EF7-BAF0-9D1A172D581B@ve7jtb.com> <CA6A6425-D0CE-469F-B51E-9F296DA8041C@oracle.com> <CA+k3eCREgN+6z+U=jjJcPo0nZVR0GWn5zXeecZRO+rg=xd-gZg@mail.gmail.com> <A2375FE9-946F-46B3-9356-0709DD56BD4A@ve7jtb.com> <48FD87D1-4DF4-4289-99B7-40A515F31890@oracle.com> <3E472720-31A4-40A0-AAA4-402CF850831A@ve7jtb.com> <7127843B-D7B0-4AB6-87F1-1604D1EFFA79@oracle.com> <50DA292F-32F0-4266-8401-006AD837B775@ve7jtb.com> <CA+k3eCSyE3cPMh17XuivbUZUtHY=RAtjV1UeCdW6gGFk+gv02A@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 28 Feb 2013 12:24:31 -0700
Message-ID: <CA+k3eCTyr7o9qmPKeL_-s9QHyNRQGO+kpB=jqUkgtYOWsC1=Tw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="e89a8f3b9ff5da0e5c04d6cdd863"
X-Gm-Message-State: ALoCoQl4/y6fUmcNShLYiGtgNqQZMFAF1Bgm8HjqoSLtMjkS0ZYmx2lEjC2h/60mKsO1jZJDNP9vhp+DDeVTwBxC9kJVxOzu/3gsag3qfhD8aR8SrTgWNFwm6lQnDCJttbeXoje1ROIR
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT - scope claim missing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2013 19:25:12 -0000

To be fair, I think it was Phil who first conflated the things :) I just
picked up the ball and ran with it. But you are right, I did kind of hijack
the thread which was originally about if a scope claim should be defined in
draft-ietf-oauth-json-web-token. I'd say no but I can see how an argument
could be made the other way.


On Thu, Feb 28, 2013 at 12:03 PM, Brian Campbell <bcampbell@pingidentity.com
> wrote:

> I'm not sure anyone really "picked" the titles for the bearer token
> profiles. They just kind of evolved. And evolved in funny ways especially
> when client authn to the AS was added.
>
> You won't hear me argue that the titles are "good" and this is not the
> first time there's been confusion about what they actually do. They define
> new grant types and new client authentication methods. They *do not* define
> an access token format or anything else about access tokens. JWT and SAML
> could be used for that but that's not what these drafts do.
>
> Suggestions for better title(s) would be more than welcome.
>
> Here's what they are now:
>
> SAML 2.0 Bearer Assertion Profiles for OAuth 2.0
> draft-ietf-oauth-saml2-bearer
>
>
> JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
>  draft-ietf-oauth-jwt-bearer
>
> Assertion Framework for OAuth 2.0
> draft-ietf-oauth-assertions
>
>
> On Thu, Feb 28, 2013 at 11:36 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>> Yes the title likely adds to the confusion given that the bearer tokens
>> are not access tokens.
>>
>> Things as separate from OAuth as the Firefox browerID spec use JWS signed
>> JWTs.
>>
>> The bearer token profiles for OAuth 2 are for OAuth2.
>>
>> The JSON Web Token (JWT)<http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06> spec
>> did not start in OAuth and is not OAuth specific.
>>
>> A JWT is:
>>
>> JSON Web Token (JWT)  A string representing a set of claims as a JSON
>>       object that is encoded in a JWS or JWE, enabling the claims to be
>>       digitally signed or MACed and/or encrypted.
>>
>>
>> So OAuth or other profiles may define claims to go in a JWT, but the JWT
>> needs to itself only define the claims necessary for security processing.
>>
>> John B.
>> PS that was a soft ball If you hadn't responded I would have been
>> disappointed.  I din't pick the title for the bearer token profiles.
>>
>>
>> On 2013-02-28, at 10:12 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>
>>
>>
>>
>> JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
>>
>>
>> Note the title says "for OAuth2"
>>
>> Sorry. Couldn't resist.
>>
>> Phil
>>
>> Sent from my phone.
>>
>> On 2013-02-28, at 9:40, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>
>> JWT is an assertion( I am probably going to regret using that word).
>>
>> It is used in openID connect for id_tokens, it is used in OAuth for
>> Assertion grant types and authentication of the client to the token
>> endpoint.
>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-04
>>
>> JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
>>
>>
>> Dosen't define JWT's use for access tokens for the RS.
>>
>> Bottom line JWT is for more than access tokens.
>>
>> John B.
>>
>> On 2013-02-28, at 9:28 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>
>> Are you saying jwt is not an access token type?
>>
>> Phil
>>
>> Sent from my phone.
>>
>> On 2013-02-28, at 8:58, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>
>> Yes, defining scope in JWT is the wrong place.   JWT needs to stick to
>> the security claims needed to process JWT.
>>
>> I also don't know how far you get requiring a specific authorization
>> format for JWT, some AS will wan to use a opaque reference, some might want
>> to use a user claim or role claim, others may use scopes,  combining scopes
>> and claims is also possible.
>>
>> Right now it is up to a AS RS pair to agree on how to communicate
>> authorization.   I don't want MAC to be more restrictive than bearer when
>> it comes to authorization between AS and RS.
>>
>> Hannes wanted to know why JWT didn't define scope.  The simple answer is
>> that it is out of scope for JWT itself.   It might be defined in a OAuth
>> access token profile for JWT but it should not be specific to MAC.
>>
>> John B.
>> On 2013-02-28, at 8:44 AM, Brian Campbell <bcampbell@pingidentity.com>
>> wrote:
>>
>> I think John's point was more that scope is something rather specific to
>> an OAuth access token and, while JWT is can be used to represent an access
>> token, it's not the only application of JWT. The 'standard' claims in JWT
>> are those that are believed (right or wrong) to be widely applicable across
>> different applications of JWT. One could argue about it but scope is
>> probably not one of those.
>>
>> It would probably make sense to try and build a profile of JWT
>> specifically for OAuth access tokens (though I suspect there are some
>> turtles and dragons in there), which might be the appropriate place to
>> define/register a scope claim.
>>
>>
>> On Thu, Feb 28, 2013 at 9:24 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>
>>> Are you advocating TWO systems? That seems like a bad choice.
>>>
>>> I would rather fix scope than go to a two system approach.
>>>
>>> Phil
>>>
>>> Sent from my phone.
>>>
>>> On 2013-02-28, at 8:17, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>>
>>> > While scope is one method that a AS could communicate authorization to
>>> a RS, it is not the only or perhaps even the most likely one.
>>> > Using scope requires a relatively tight binding between the RS and AS,
>>>  UMA uses a different mechanism that describes finer grained operations.
>>> > The AS may include roles, user, or other more abstract claims that the
>>> the client may (god help them) pass on to EXCML for processing.
>>> >
>>> > While having a scopes claim is possible, like any other claim it is
>>> not part of the JWT core security processing claims, and needs to be
>>> defined by extension.
>>> >
>>> > John B.
>>> > On 2013-02-28, at 2:29 AM, Hannes Tschofenig <
>>> hannes.tschofenig@gmx.net> wrote:
>>> >
>>> >> Hi Mike,
>>> >>
>>> >> when I worked on the MAC specification I noticed that the JWT does
>>> not have a claim for the scope. I believe that this would be needed to
>>> allow the resource server to verify whether the scope the authorization
>>> server authorized is indeed what the client is asking for.
>>> >>
>>> >> Ciao
>>> >> Hannes
>>> >>
>>> >> _______________________________________________
>>> >> OAuth mailing list
>>> >> OAuth@ietf.org
>>> >> https://www.ietf.org/mailman/listinfo/oauth
>>> >
>>> > _______________________________________________
>>> > OAuth mailing list
>>> > OAuth@ietf.org
>>> > https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>>
>>
>>
>>
>

v2.23.0 | Report a Bug | By Email