[OAUTH-WG] Interoperability Considerations (was draft-ietf-oauth-jwt-bearer-06)

Brian Campbell <bcampbell@pingidentity.com> Mon, 04 November 2013 19:52 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 7B4A721E80C9 for <oauth@ietfa.amsl.com>; Mon, 4 Nov 2013 11:52:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.917
X-Spam-Status: No, score=-5.917 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ud3sGGCC24AB for <oauth@ietfa.amsl.com>; Mon, 4 Nov 2013 11:52:46 -0800 (PST)
Received: from na3sys009aog124.obsmtp.com (na3sys009aog124.obsmtp.com []) by ietfa.amsl.com (Postfix) with ESMTP id 5831721E821C for <oauth@ietf.org>; Mon, 4 Nov 2013 11:52:44 -0800 (PST)
Received: from mail-ie0-f179.google.com ([]) (using TLSv1) by na3sys009aob124.postini.com ([]) with SMTP ID DSNKUnf7DB5ShXTTP5qqWVu3SvtHxynGalpV@postini.com; Mon, 04 Nov 2013 11:52:44 PST
Received: by mail-ie0-f179.google.com with SMTP id aq17so12790255iec.24 for <oauth@ietf.org>; Mon, 04 Nov 2013 11:52:43 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=mKgNVhKhACxFGaT9gEIyEGDciB8zPav8UzmF9jBwcuw=; b=gH6pclE+XWOiQn94BggKwGAAx4JEZT4insF5QHvllMwfTD3mcF4wl457j43OCm+dRW aOo7R5CkT5CGYZPEOtu3bng/5rQUI9jp60lnBtLgrkr1mu8IRPIFVv0W56BpRQDofjju 3j1YmowcBX8xcKHfZ4HaL1CLDZNmUFnwtigRgh8N2n4UT1Bm2mQ7DO5malhcBuULXSXz oFyq6wmWHW7JD9FobCFNujaKciW9uBymiGj+h1dL0Eolb2V9wHFuGIKw8GE0VN/tOvfs WqqKg0tnKu5VwmLhPtvciRaY9SM2JCc3vnrwuHBEZ3mcFM/B2hZr6aj6vXjDoCOL3z4w gfFw==
X-Gm-Message-State: ALoCoQnjO6EMgVICWZOtD4bYnzqTMchJpO3NFEOaY5AqkXZ4FFsRMWe22wV6/0LZXmapjAIjXWZ3ijufQoVTG7nFbvgl88In4vCBu22mOot7+or6l6PRJA2tOowL1dfROgJeBBZXAfixd9AdlYeEAV8rW87RInMRmw==
X-Received: by with SMTP id s1mr11070976icu.30.1383594763928; Mon, 04 Nov 2013 11:52:43 -0800 (PST)
X-Received: by with SMTP id s1mr11070972icu.30.1383594763839; Mon, 04 Nov 2013 11:52:43 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 4 Nov 2013 11:52:13 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 4 Nov 2013 11:52:13 -0800
Message-ID: <CA+k3eCSsDHwJfcL8iANa=S5f13D++kRbz0fVk=m0yxXJSXoz+g@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: [OAUTH-WG] Interoperability Considerations (was draft-ietf-oauth-jwt-bearer-06)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2013 19:52:51 -0000

On Fri, Nov 1, 2013 at 1:52 PM, Hannes Tschofenig
<hannes.tschofenig@gmx.net> wrote:
> Section 5 about "Interoperability Considerations" says:
> "
> Specific items that require agreement are as
>    follows: values for the issuer and audience identifiers, the location
>    of the token endpoint, and the key used to apply and verify the
>    digital signature or keyed message digest over the JWT.
> "
> I believe that this list is not correct.

The list could probably be expanded to include a mention of how
subject is to be identified (related to discussion about subject [1])
as well as requirements the AS may place on upper limits of token
expiration and/or de-duping.

> What is needed is:
>  * At the authorization server there needs to be a whitelist of trusted
> issuers. For a succesful protocol run the JWT needs to be created by an
> issuer who is in the whitelist.
>  * Along with the entry in the whitelist of trusted issuers needs to be a
> key.

That's one implementation approach. But not the only one. The intent
of this section is to note the information which needs to be
exchanged/agreed upon in order for the wire protocol to work. That's
all. Implementation particulars shouldn't be here.

> There is no new endpoint URL defined by this document. As such, I wouldn't
> mention those.

No but there's been a request, which makes sense, to explicitly state
the items which need to be known, typically via service documentation,
in order to achieve interoperability. The token endpoint is one of
those items and OAuth provides no means of discovering it or
publishing it. So I feel it's very appropriate to mention it here.
And, by way of example, if you look at service documentation for
existing deployments, you'll see that it is included.

> I also do not think that the audience identifier needs to be agreed if you
> define it as the token endpoint URL of the authorization server (as I
> suggested above).

As I said in the previous mail on audience [2] and have been
arguing/explaining for a long time now, that suggestion is not viable
or realistic. And (as I mention above) the token endpoint URL *still*
needs to be communicated somehow. Documenting the expected value for
audience is just one more piece of information in a set of info that
has to be exchanged anyway.

[1] sub http://www.ietf.org/mail-archive/web/oauth/current/msg12250.html
[2] aud http://www.ietf.org/mail-archive/web/oauth/current/msg12251.html