Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens
Pedro Igor Silva <psilva@redhat.com> Wed, 10 April 2019 20:39 UTC
Return-Path: <psilva@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC72F1203ED for <oauth@ietfa.amsl.com>; Wed, 10 Apr 2019 13:39:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hUhN8SeEfiH3 for <oauth@ietfa.amsl.com>; Wed, 10 Apr 2019 13:39:04 -0700 (PDT)
Received: from mail-ua1-f41.google.com (mail-ua1-f41.google.com [209.85.222.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFF9212033B for <oauth@ietf.org>; Wed, 10 Apr 2019 13:39:03 -0700 (PDT)
Received: by mail-ua1-f41.google.com with SMTP id h4so1256080uaj.9 for <oauth@ietf.org>; Wed, 10 Apr 2019 13:39:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lFNwWtFcu5fbYJqfk1ifXXfJ9O1IrTdAfJLeL9hMQvs=; b=OzWTKCQ+dt/HkZk/0tQZnmkT7HEHkiI+QB4MSkjj6x18uuk6aN4k6av+8VsbdnSOig ueHx+Ibu1Ycvl0rPB3KDshIWWwYaYeVgJNqUn7DRiM/Ikj5q6mluq7ReBVDfXJwJeKwM v8rpLbV8zFMzfX6axtE4zKnJI88WKWIXXeVLlnjk65aM0u/sut0s5XzUWfPoXE2HeCQE 4HJv4WdT2qEEVbVQvcvTfU9dfHkirkazzy3JOzACKnyzVyx3hegr6w6lUj2A2MfA/Yuc u1SJ87j+Al7Rcrc1vX0B1hJ7hDwyqW1auwhjB4trFwYo/6sB9kV77B9WDbaiiQVu0o5R GdCg==
X-Gm-Message-State: APjAAAXuZGARy26IfD/LMC5Ub1myRYvXD/+ZcE+uoVl9CyjX/4o7xo6E rLJHPJctCGCSv8pbj6qq1YY9W9XOvhfwYAq+KwK+e0tv
X-Google-Smtp-Source: APXvYqy+PXZddlrC/ia7eOoZDkY667eDlgqtyoAmOQWrPrSepp8gEToH/D6mRPCEn5YkgrlwyNChxL9Yvq32B1E9MK4=
X-Received: by 2002:ab0:60cd:: with SMTP id g13mr23685442uam.85.1554928742890; Wed, 10 Apr 2019 13:39:02 -0700 (PDT)
MIME-Version: 1.0
References: <AM6PR08MB36861CE2351D6922D5F8F91FFA2C0@AM6PR08MB3686.eurprd08.prod.outlook.com> <MW2PR00MB0396F840F48EFC98A28C61BCA62E0@MW2PR00MB0396.namprd00.prod.outlook.com>
In-Reply-To: <MW2PR00MB0396F840F48EFC98A28C61BCA62E0@MW2PR00MB0396.namprd00.prod.outlook.com>
From: Pedro Igor Silva <psilva@redhat.com>
Date: Wed, 10 Apr 2019 17:38:51 -0300
Message-ID: <CAJrcDBcSmRR20RZDSzRDow7-V49yAE88yqQWz=FwdE8NZC3nJA@mail.gmail.com>
To: Anthony Nadalin <tonynad=40microsoft.com@dmarc.ietf.org>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005f1ce10586330f17"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/A7XgAwbgfT0VI69i1Uf2FhFKQjo>
Subject: Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2019 20:39:08 -0000
+1 plus Anthony's caveats. The draft seems to provide a good reference for implementors by providing how different ASes are using JWT as the access token format. As well as providing valuable information about validation and security considerations. Regards. Pedro Igor On Wed, Apr 10, 2019 at 8:12 AM Anthony Nadalin <tonynad= 40microsoft.com@dmarc.ietf.org> wrote: > I support adoption of this draft as a working group document with the > following caveats: > > 1. These are not to be used as ID Tokens/authentication tokens > 2. The privacy issues must be addressed > 3. Needs to be extensible, much like ID-Token, can't be 100% fixed > > > -----Original Message----- > From: OAuth <oauth-bounces@ietf.org> On Behalf Of Hannes Tschofenig > Sent: Monday, April 8, 2019 10:07 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens > > Hi all, > > this is the call for adoption of the 'JWT Usage in OAuth2 Access Tokens' > document following the positive feedback at the last IETF meeting in Prague. > > Here is the document: > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-bertocci-oauth-access-token-jwt-00&data=02%7C01%7Ctonynad%40microsoft.com%7Ca3d9527e05364fa8578b08d6bc44b170%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636903400616347061&sdata=ePmwaD%2FHCRZhRx%2FwZbb3U72%2FhBalPoFPKtQ67QTxIRw%3D&reserved=0 > > Please let us know by April 22nd whether you accept / object to the > adoption of this document as a starting point for work in the OAuth working > group. > > Ciao > Hannes & Rifaat > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7Ctonynad%40microsoft.com%7Ca3d9527e05364fa8578b08d6bc44b170%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636903400616357060&sdata=zcxw1IR3kNbuZ9u58OOJDv9pLb7cUCooDtlIUH7tS%2Fw%3D&reserved=0 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Call for adoption: JWT Usage in OAuth2… Hannes Tschofenig
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Filip Skokan
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… John Bradley
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Hans Zandbelt
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… George Fletcher
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… William Denniss
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Dominick Baier
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Scott Brady
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Neil Madden
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Lars Wilhelmsen
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Anthony Nadalin
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… n-sakimura
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Dick Hardt
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Pedro Igor Silva
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Sascha Preibisch
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Dag Helge Østerhagen
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Schanzenbach, Martin
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Sascha Preibisch
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Schanzenbach, Martin
- Re: [OAUTH-WG] Call for adoption: JWT Usage in OA… Rifaat Shekh-Yusef