[OAUTH-WG] -00 of draft-bradley-stateless-oauth-client

Brian Campbell <bcampbell@pingidentity.com> Sun, 03 November 2013 16:36 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 8E12B11E815F for <oauth@ietfa.amsl.com>; Sun, 3 Nov 2013 08:36:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.865
X-Spam-Status: No, score=-5.865 tagged_above=-999 required=5 tests=[AWL=0.111, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id R9Jq2J35LvWr for <oauth@ietfa.amsl.com>; Sun, 3 Nov 2013 08:36:43 -0800 (PST)
Received: from na3sys009aog131.obsmtp.com (na3sys009aog131.obsmtp.com []) by ietfa.amsl.com (Postfix) with ESMTP id 431ED11E81FE for <oauth@ietf.org>; Sun, 3 Nov 2013 08:36:35 -0800 (PST)
Received: from mail-ie0-f172.google.com ([]) (using TLSv1) by na3sys009aob131.postini.com ([]) with SMTP ID DSNKUnZ7kKIELnL8bMPeVgZ4nUM1xRCe3HQ8@postini.com; Sun, 03 Nov 2013 08:36:35 PST
Received: by mail-ie0-f172.google.com with SMTP id tp5so10999182ieb.17 for <oauth@ietf.org>; Sun, 03 Nov 2013 08:36:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=2wMjmwuGdOE/fR+aaYSwJizL52Rc4yI1i/HRK7JpprA=; b=Sb+OxF1fgVrgUlkmNW3iz901Ld4V9cszMFZpg9ZfVxMt6VWNsq2scWRixw8JX0x8wW P3p+WXIzvB0gcmEVN+9gDla2ktuk79IWf7g/WloSIEZJO1qzy0sbcBG3s06Vexql5/AK vQjXmnBTdl7F3cxhNnaARl6YOiNaVfGwUy+GpZu3v0zrCB0q1oKLZQ2Ehzo6p2JGrP+w KdbHKFcQd9TwSGVIPT3OZ1KNKZCrBJ06Ouzp2VT5Lc8Ki5RitZYW0HnN8DokLNw5HI9d yWn6ZKsCR8D6jJ9dgqNPstYkJBsPFzKqOomwXOZ1r6MtuhsUnUvgPqDVKeEMzzX9q+U6 hu7Q==
X-Gm-Message-State: ALoCoQntHxJNm9cKgVm8NYfzJV+iMQFIx4epnfCBP/rEm4PRG4m8YEpNPyypYeI6IBXvBMBvsdKN7T7+Z9/BD11G/l94b/7Lmb6RvszzhP1bT4XhdpKPHuZepePQ9c6fTVVDLiAsr355T1iwCp5/J9slZoYElT5crw==
X-Received: by with SMTP id 6mr9381265igl.0.1383496592422; Sun, 03 Nov 2013 08:36:32 -0800 (PST)
X-Received: by with SMTP id 6mr9381259igl.0.1383496592245; Sun, 03 Nov 2013 08:36:32 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Sun, 3 Nov 2013 08:36:02 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sun, 3 Nov 2013 08:36:02 -0800
Message-ID: <CA+k3eCSR+hVFsYnbOzvmxc771kHpe8k1V_Lfo+LFVOy34J=7ow@mail.gmail.com>
To: oauth <oauth@ietf.org>, "<openid-specs-ab@lists.openid.net>" <openid-specs-ab@lists.openid.net>
Content-Type: multipart/alternative; boundary=047d7bd770a4ede5c504ea486681
Subject: [OAUTH-WG] -00 of draft-bradley-stateless-oauth-client
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Nov 2013 16:36:56 -0000

Some musings on

Abstract: "... allowing for fully stateless operation." --> saying that the
statelessness is on the AS side might avoid some confusion. The client is
still going to have to maintain state.

The kid is header rather than a claim.

"The issuer SHOULD sign the JWT with JWS ...  issuer MAY encrypt the JWT
with JWE." --> this text seems a little off given that the most common
case, I'd think, would be an AS who issues these client id JWTs only for
its own consumption using JWE's AES_CBC_HMAC_SHA2 which gives encryption
and integrity protection.

Does the relationship between the "iat" and "exp" claims here and the
"client_secret_expires_at" and "client_id_issued_at" parameters of dyn reg
need to be explained or explored more? Strikes me as potentially

And what happens when one of these JWT client ids expires or needs to be
updated? Or the keys used to create or verify them expire? I know the
answer thus far has been that the client will just have to get a new one.
But I feel like that might be too limiting in practice. I'd like to further
pursue understanding/defining how these kinds of client ids might be used
in conjunction with a longer lived way to identify the client that allows
the client id (i.e. the metadata) to change but can allow correlation
across such changes (the sub claim in this doc even suggests that a client
might have such an identifier).

As was pointed out in another review, there's a difference between
documenting how it's possible for an AS to issue "stateless" client ids for
its own use and defining something that allows for some other party to
issue such ids. It may make sense to discuss them in the same document but
I believe it'd be valuable to have the doc acknowledge and address the
difference more.