Re: [OAUTH-WG] JSON Web Token (JWT) Profile
Antonio Sanso <asanso@adobe.com> Tue, 11 March 2014 14:57 UTC
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 260D31A0744 for <oauth@ietfa.amsl.com>; Tue, 11 Mar 2014 07:57:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ciQbISbJm7_g for <oauth@ietfa.amsl.com>; Tue, 11 Mar 2014 07:57:01 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0188.outbound.protection.outlook.com [207.46.163.188]) by ietfa.amsl.com (Postfix) with ESMTP id 30FE31A044B for <oauth@ietf.org>; Tue, 11 Mar 2014 07:57:01 -0700 (PDT)
Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by BL2PR02MB307.namprd02.prod.outlook.com (10.141.91.21) with Microsoft SMTP Server (TLS) id 15.0.893.10; Tue, 11 Mar 2014 14:56:54 +0000
Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.29]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.185]) with mapi id 15.00.0893.001; Tue, 11 Mar 2014 14:56:53 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] JSON Web Token (JWT) Profile
Thread-Index: AQHPPTQaKxckAjMng0+5U95NRYKjsJrb9DEAgAAFrgA=
Date: Tue, 11 Mar 2014 14:56:52 +0000
Message-ID: <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com>
References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net>
In-Reply-To: <531F1F72.8010805@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [193.104.215.11]
x-forefront-prvs: 0147E151B5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(6009001)(428001)(199002)(189002)(51704005)(51694002)(377454003)(479174003)(24454002)(2656002)(95666003)(92566001)(94316002)(74662001)(31966008)(15975445006)(81816001)(47446002)(81542001)(83716003)(97186001)(74876001)(63696002)(74502001)(87936001)(85306002)(95416001)(36756003)(97336001)(87266001)(94946001)(79102001)(56816005)(47976001)(90146001)(54316002)(82746002)(74366001)(47736001)(74706001)(83072002)(93516002)(66066001)(46102001)(65816001)(85852003)(93136001)(15202345003)(92726001)(59766001)(77982001)(80022001)(83322001)(86362001)(54356001)(81686001)(53806001)(51856001)(4396001)(19580395003)(33656001)(77096001)(49866001)(81342001)(76796001)(76786001)(76482001)(69226001)(56776001)(80976001)(50986001)(19580405001); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR02MB307; H:CO1PR02MB206.namprd02.prod.outlook.com; CLIP:193.104.215.11; FPR:AFFC75F5.ACFAD1C9.7CFF1DB3.C6EDB6E2.202CD; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: adobe.com does not designate permitted sender hosts)
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <56ACA17F11CDA94C9B9094C4222C2134@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/AxD9HPBbZLFv-a1GPr2vL4ZvYh0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 14:57:03 -0000
hi Hannes, I am aware of the 2 documents, I might be wrong but http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 is also about Authorization Grant Processing (this is the part I do use in my implementation ) and not only Client Authentication Processing. Just my 0.02 $ but this seems to be a place where different implementer have the same issue :) regards antonio On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > Hi Manfred, Hi Antonio, > > Note that there are two documents that talk about the JWT and you guys > might be looking at the wrong document. > > The main JWT document (see > http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) defines > the subject claim as optional (see Section 4.1.2). > > The JWT bearer assertion document (see > http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does indeed > define it as mandatory but that's intentional since the purpose of the > spec is to authenticate the client (or the resource owner for an > authorization grant). > > The assertion documents are used for interworking with "legacy" identity > infrastructure (such as SAML federations). > > So, are you sure you are indeed looking at the right document? > > Ciao > Hannes > > > On 03/11/2014 03:13 PM, Antonio Sanso wrote: >> hi *, >> >> JSON Web Token (JWT) Profile section 3 [0] explicitely says >> >> The JWT MUST contain a "sub" (subject) claim >> >> >> Now IMHO there are cases where having the sub is either not needed or >> redundant (since it might overlap with the issuer).\ >> >> As far as I can see “even Google” currently violates this spec [1] ( I >> know that this doesn’t matter, just wanted to bring a real use case >> scenario). >> >> WDYT might the “sub” be optional in some situation? >> >> regards >> >> antonio >> >> [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3 >> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >
- [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Manfred Steyer
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Hannes Tschofenig
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Hannes Tschofenig
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Hannes Tschofenig
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile John Bradley
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile John Bradley
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Manfred Steyer
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile John Bradley
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Phil Hunt
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Nat Sakimura
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Manfred Steyer
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso