Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Nikos Fotiou <> Tue, 24 March 2020 01:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4F27D3A0D3F for <>; Mon, 23 Mar 2020 18:32:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mBia5GTl6ymZ for <>; Mon, 23 Mar 2020 18:32:35 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BA6C63A09B5 for <>; Mon, 23 Mar 2020 18:32:33 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6910BA77; Tue, 24 Mar 2020 03:32:31 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=201901; t=1585013551; bh=xeTQeIXVS6stQ+DRj3VFONV9tOWd5Fv187uhve+3Nwk=; h=From:To:References:In-Reply-To:Subject:Date:From; b=YTEQs2ItihBW3ncnrQPtY5AIvTW1UOP1dV9d4g6QX/FIhVmBq4OeyuQH4uPslFCMm biJybc8gQHA0XcmmdzLPZErBc7I3zgdlPokT7X2vJ6bPofuRe8f5q4iF3Glc64AZ7Q oAwyeN+/DYZBx4vx0xCe0frvuAiMCjwTiwM1A7dXZHFCsqqQIzYZI7sySCb+HrMqJ8 AQ9mqYLRkdwKg9hwTLJHY8lZuUaYsIxR99nvk8FwdAlkZELJgImoaEmBQUUVW682CC vOcXzn9+DhbyDV05miWgiRnecZTdLVIr8u0pjPlGJ6scgLpr934pLg5JBdiVek5Wzy daUkqpTL0kIzw==
Received: from DESKTOP7VDSLBL ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: fotiou) by (Postfix) with ESMTPSA id 10EABAE6; Tue, 24 Mar 2020 03:32:29 +0200 (EET)
From: "Nikos Fotiou" <>
To: "'Hannes Tschofenig'" <>, "'oauth'" <>
References: <>
In-Reply-To: <>
Date: Tue, 24 Mar 2020 03:32:29 +0200
Message-ID: <01ec01d6017c$162eb2e0$428c18a0$>
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHpUDYTHxkJVh4ssWS8Yidi1aurtqgwQpqQ
MIME-Version: 1.0
Content-Language: el
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.; boundary="----=_NextPart_000_01E5_01D6018C.D887DC80"
Archived-At: <>
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Mar 2020 01:32:38 -0000

Hi all,


Allow me some comments and forgive me if some of them are naïve.

- In Section 2.2 why nbf claim
( is not considered? I can
imagine some interesting applications of this claim.

- In the same section, it is not clear why some claims are required,
especially exp, sub, and client_id. The last two claims are not even used
during token validation.

- RFC7519 specifies that, in the general case, the aud claim is an array of
StringOrURI values. In this draft it is not clear if this still the case, or
here aud is a simple string (e.g., in page 5 it is stated: the resource
indicated in the aud claim, rather than the resource*s*).

- In the token validation procedure, i.e., Section 4, is there any reason
why the resource server first checks the aud claim, then the signature, and
finally the exp claim? Given the fact that Error responses are not
specified, returning something like “invalid aud claim” even for tokens with
invalid signature may result in privacy/security attacks.

- IMHO The token validation procedure it too bound to the particular
discovery mechanisms mentioned at the beginning of this section. E.g., Step
2 mentions a “registration” process, and Step 3 mentions and an “Issuer
Identifier” which must much the iss claim. Moreover, I think it should be
explicitly mentioned that the resource server “must validate that the JWT
access token has been singed with a signing key that corresponds to the
authorization server included in the iss claim”  






From: OAuth <> On Behalf Of Hannes Tschofenig
Sent: Monday, March 23, 2020 11:18 PM
To: oauth <>
Subject: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0
Access Tokens"


Hi all,


this is a working group last call for "JSON Web Token (JWT) Profile for
OAuth 2.0 Access Tokens".


Here is the document: 


Please send you comments to the OAuth mailing list by April 6, 2020.



Hannes & Rifaat

IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended
recipient, please notify the sender immediately and do not disclose the
contents to any other person, use it for any purpose, or store or copy the
information in any medium. Thank you.