Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13
Denis <denis.ietf@free.fr> Mon, 13 April 2020 15:15 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE20E3A1752 for <oauth@ietfa.amsl.com>; Mon, 13 Apr 2020 08:15:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.398, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YmUd-PtR-LZc for <oauth@ietfa.amsl.com>; Mon, 13 Apr 2020 08:15:30 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp11.smtpout.orange.fr [80.12.242.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E8943A17B2 for <oauth@ietf.org>; Mon, 13 Apr 2020 08:15:23 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d89 with ME id SFFH220084FMSmm03FFHlc; Mon, 13 Apr 2020 17:15:18 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Mon, 13 Apr 2020 17:15:18 +0200
X-ME-IP: 86.238.65.197
To: oauth@ietf.org
References: <158628195716.9275.10690808358259357603@ietfa.amsl.com> <CAGL6epJ6W6AKptXw72cw2eaO+582_iYhKSK5h6BGBWeDJW9zNg@mail.gmail.com> <CAGL6epJc4CGDy9DwL3-BJh6MrELY3C-RUmcH716WN4k3Un11FA@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <361d7891-01be-8e22-7765-613e727b2bc1@free.fr>
Date: Mon, 13 Apr 2020 17:15:16 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <CAGL6epJc4CGDy9DwL3-BJh6MrELY3C-RUmcH716WN4k3Un11FA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------DDBFB801289E5E6826556362"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7amynNQnPFk0q7zdbPbPmgcTKHQ>
Subject: Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2020 15:15:32 -0000
Hello, More on privacy about "JWT Profile for Access Tokens". The current document REQUIRES the claim names *sub* and *client_id*. * sub REQUIRED - as defined in section 4.1.2 of [RFC7519]. * client_id REQUIRED - as defined in section 4.3 of [RFC8693] *1) **sub REQUIRED* RFC 7519 states: 4.1.2. "sub" (Subject) Claim The "sub" (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. The subject value MUST either be scoped to** *be locally unique in the context of the issuer or be globally unique*. The processing of this claim is generally application specific. The "sub" value is a case-sensitive string containing a StringOrURI value. *Use of this claim is OPTIONAL.* If *sub *is *REQUIRED *for this profile, then this allows all resource servers to link accesses made by the same client on different servers. *2) client_id REQUIRED* RFC 8693 states: 4.3. "client_id" (Client Identifier) Claim The client_id claim carries the client identifier of the OAuth 2.0 [RFC 6749] client that requested the token. RFC 6749 states: 2.2. Client Identifier The authorization server issues the registered client a client identifier -- a unique string representing the registration information provided by the client. The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication. *The client identifier is unique to** ** the authorization server.* If *client_id* is REQUIRED for this profile, this also allows all resource servers to link accesses made by the same client on different servers. *Both claim names should be OPTIONAL *to allow to support the privacy principle of unlinkability. Would both names remain *REQUIRED*, the Privacy considerations section should mention that such a linkage by different resource servers will always be possible when using this profile. Denis > I have uploaded the second presentation for today's session, the JWT > Profile for Access Tokens. > https://datatracker.ietf.org/meeting/interim-2020-oauth-04/session/oauth > > Regards, > Rifaat >
- [OAUTH-WG] Web Authorization Protocol (oauth) WG … IESG Secretary
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Denis
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Dick Hardt
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Aaron Parecki
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Dick Hardt
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Denis
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Denis
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… George Fletcher
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Denis
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… George Fletcher
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Manger, James
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Rifaat Shekh-Yusef