IETF Logo Mail Archive

Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12

Brian Campbell <bcampbell@pingidentity.com> Mon, 23 April 2018 19:13 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FAB912DA46 for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2018 12:13:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f7vsDj6ntVdB for <oauth@ietfa.amsl.com>; Mon, 23 Apr 2018 12:13:55 -0700 (PDT)
Received: from mail-it0-x229.google.com (mail-it0-x229.google.com [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9BED12D947 for <oauth@ietf.org>; Mon, 23 Apr 2018 12:13:54 -0700 (PDT)
Received: by mail-it0-x229.google.com with SMTP id h143-v6so12391501ita.4 for <oauth@ietf.org>; Mon, 23 Apr 2018 12:13:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JJSdnaw3SVTYYskSi9oDLcq5tGadJL9Adf0HMji5j0A=; b=nFr3USFYDnQM20U7W9ByroZ+xSTDbATPCLr8+VkOuWVjf+gw1vkDRgdsDsJmTE9hZj +hvVr8r8oFB6QyxbkeOqabGH9xOENdgkZTwYJ5wAUOP2udVCIilINfYRjgTse8toh763 iZvXT+E51EIsNuViKEUn54eKCe3sxuWdqHPls=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JJSdnaw3SVTYYskSi9oDLcq5tGadJL9Adf0HMji5j0A=; b=NpcvVx8wJuDm1rsjCk7JTHElP0BWTols9tbG3TTPd7EvwuV8EDmhooWOX/bxSvCiQO SIZU4YpHrAWvmtUPCssRn4PaErpGZSxZ6pYQkCD9PqTTpEqEJDMCoi1Xg5Pq2dLxRg3b igek+Z6Ukf0sBHoCuRfwPw3ZnHVHwsXBXggZ/C2CMMrGdYhXUYN+iTpZz5F3qMf5mI1u Qcz09FGeTrpOjIE1SG10fdDQJH1M4L3xRnfcaMhYHmtxkEzD6G7tbtHeIPZ3CfvbWptw ZkSvp8hMDschTp4XVnNSS9EiCh1ycGuwyrLyXWKxrO2aHI7FE5k7jRNjWQNqZ7hABkWw IGwQ==
X-Gm-Message-State: ALQs6tBdNsaILbXAljKzBIFWkCq3gRzzh1Q3I7FJUl0n6Httv15SpkPm iPcsS0wlCj8bZfDosHBEGiC+fgCZvm9Vn8Y4n0qHQ2pWtcJQbahx0NoV2/Lgmt4jGR8OvSe3RPX qLRG8TVXrOcIkrQ==
X-Google-Smtp-Source: AB8JxZrciaq8pTsEFiyTGyKtz5eWS/osVEbBIUWO0XC9W7CyMX6svv9/IesOe1gGVRkPACvI+YTGPvwv9JNFnCXroDI=
X-Received: by 2002:a24:2f8d:: with SMTP id j135-v6mr15421785itj.53.1524510833966; Mon, 23 Apr 2018 12:13:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:144a:0:0:0:0:0 with HTTP; Mon, 23 Apr 2018 12:13:23 -0700 (PDT)
In-Reply-To: <99725E0A-45F8-4E5C-8AAF-6F6C38110F2A@lodderstedt.net>
References: <C1972A3F-98FD-44FF-8090-2C141A801F76@lodderstedt.net> <CA+k3eCTsewdV_pHpV-WSbE39y7nN9x0tVch0-E3+sE6R2Wpwtw@mail.gmail.com> <MW2PR00MB029825EA57103F4FFD0DB57DF5B60@MW2PR00MB0298.namprd00.prod.outlook.com> <99725E0A-45F8-4E5C-8AAF-6F6C38110F2A@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 23 Apr 2018 13:13:23 -0600
Message-ID: <CA+k3eCRZ9PZkQxoH2Jms1pQ4+rPH05nGaP3gjjDc=vNJ+J_f-w@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Mike Jones <Michael.Jones@microsoft.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b72faa056a88d63a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7mSgrK844hPZmf-gVJS_Cdto9VU>
Subject: Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2018 19:14:01 -0000

I just noticed/remembered that the draft also currently defines a "cid"
claim for the client identifier where Introspection's RFC 7662 already uses
"client_id" for the same thing. The reason for using "cid" was similar in
that I was looking to follow the semi-convention of JWT using three letter
short claim names. But I think consistency with RFC 7662 is more important
and meaningful here. So, barring a rough conscious of objections, I'm going
to make that change too in a soon-to-be next revision of the draft.



On Thu, Apr 19, 2018 at 7:38 AM, Torsten Lodderstedt <
torsten@lodderstedt.net> wrote:

> +1 - It will makes thinks much simpler.
>
>
> Am 19.04.2018 um 00:58 schrieb Mike Jones <Michael.Jones@microsoft.com>:
>
> I’m OK with this change, given it makes the OAuth suite of specs more
> self-consistent.
>
>
>
>                                                        -- Mike
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of * Brian Campbell
> *Sent:* Wednesday, April 18, 2018 8:17 AM
> *To:* Torsten Lodderstedt <torsten@lodderstedt.net>
> *Cc:* oauth <oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12
>
>
>
> The draft-ietf-oauth-token-exchange document makes use of scope and at
> some point in that work it came to light that, despite the concept of scope
> being used lots of places elsewhere, there was no officially registered JWT
> claim for scope. As a result, we (the WG) decided to have
> draft-ietf-oauth-token-exchange define and register a JWT claim for
> scope. It's kind of an awkward place for it really but that's how it came
> to be there.
>
> When I added it to the draft, I opted for the semi-convention of JWT using
> three letter short claim names.. And decided to use a JSON array to convey
> multiple values rather than space delimiting. It seemed like a good idea at
> the time - more consistent with other JWT claim names and cleaner to use
> the facilities of JSON rather than a delimited string. That was the
> thinking at the time anyway and, as I recall, I asked the WG about doing it
> that way at one of the meetings and there was general, if somewhat absent,
> nodding in the room.
>
> Looking at this again in the context of the question from Torsten and his
> developers, I think using a different name and syntax for the JWT claim
> vs.. the Introspection response member/parameter/claim is probably a
> mistake.  While RFC 7662 Introspection response parameters aren't exactly
> the same as JWT claims, they are similar in many respects. So giving
> consistent treatment across them to something like scope is
>
> Therefore I propose that the JWT claim for representing scope in
> draft-ietf-oauth-token-exchange be changed to be consistent with the
> treatment of scope in RFC 7662 OAuth 2.0 Token Introspection. That
> effectively means changing the name from "scp" to "scope" and the value
> from a JSON array to a string delimited by spaces.
>
> I realize it's late in the process to make this change but believe doing
> so will significantly reduce confusion and issues in the long run.
>
>
>
>
>
>
>
>
>
>
> On Sun, Apr 15, 2018 at 10:43 AM, Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
>
> Hi all,
>
> I I’m wondering why draft-ietf-oauth-token-exchange-12 defines a claim
> „scp“ to carry scope values while RFC 7591 and RFC 7662 use a claim „scope“
> for the same purpose. As far as I understand the text, the intension is to
> represent a list of RFC6749 scopes. Is this correct? What’s the rationale
> behind?
>
> Different claim names for representing scope values confuse people. I
> realized that when one of our developers pointed out that difference
> recently.
>
> best regards,
> Torsten.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email