Re: [OAUTH-WG] Proposed URN for JWT token type: urn:ietf:params:oauth:token-type:jwt

Brian Campbell <bcampbell@pingidentity.com> Tue, 01 May 2012 23:26 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D373521E8094 for <oauth@ietfa.amsl.com>; Tue, 1 May 2012 16:26:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.943
X-Spam-Level:
X-Spam-Status: No, score=-5.943 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dXNdLpwNsyQt for <oauth@ietfa.amsl.com>; Tue, 1 May 2012 16:26:54 -0700 (PDT)
Received: from na3sys009aog124.obsmtp.com (na3sys009aog124.obsmtp.com [74.125.149.151]) by ietfa.amsl.com (Postfix) with ESMTP id 4831E21E8086 for <oauth@ietf.org>; Tue, 1 May 2012 16:26:51 -0700 (PDT)
Received: from mail-vx0-f173.google.com ([209.85.220.173]) (using TLSv1) by na3sys009aob124.postini.com ([74.125.148.12]) with SMTP ID DSNKT6BxOnoxUcDJhVZZ8qv4h3aX2aXTS19Z@postini.com; Tue, 01 May 2012 16:26:51 PDT
Received: by vcbfl11 with SMTP id fl11so40913vcb.18 for <oauth@ietf.org>; Tue, 01 May 2012 16:26:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=qOtK0ml6bw2qlOdpooTDdguWETb7iavgWb5nPNd4uG8=; b=e9MwO+jHLnA+gw+Tcw86O1NQN2IY6MYD2hCQJ8V4DI1mANjVV3rqECNHFDBxphf8lH EA+wloyb8Dy8AwL/RidFxLNuslySzayaoocZhFaIbHZgtUBy+yhrnryIm4K1LKND2xcx J8Pf7M89prbD8NI/uZZRaQLt+WxUgig1Hbv6GLTq/zgHV+4NY+/9ZKBhp1eT/OpR/weY BcYTBdo5c3puWGIyxsuxzDs+sfzRu/RkITXc/cLdrn157xuhLHZjj4fKi2KlTcNoZPMP zDhmXzAeQLH/8CQXd9zLvfJF0ZwyLTC5iW+YwGnTpIFoxYhVEgkMzx0zG5WVb0mE79vo 1jvQ==
Received: by 10.220.240.195 with SMTP id lb3mr3526672vcb.63.1335914809714; Tue, 01 May 2012 16:26:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.38.104 with HTTP; Tue, 1 May 2012 16:26:19 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943664A485A@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B1680429673943664A485A@TK5EX14MBXC284.redmond.corp.microsoft.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 1 May 2012 17:26:19 -0600
Message-ID: <CA+k3eCR7krjyGLmaHrutoq8_xKTMFwug-1q+VhO4Nk6gwtTpjQ@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQlKduKlm4kNHS4WiofYpXkxoPttDt1NHhsSivss4mUpmIMhC8AZ8okH6UzSV9xe2n5vKl7k
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proposed URN for JWT token type: urn:ietf:params:oauth:token-type:jwt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2012 23:26:54 -0000

The only concern I might raise with it is that use of the "token-type"
part might lead to some confusion. The term token type and the
parameter token_type are already pretty loaded and have specific
meaning from the core OAuth framework:
http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-7.1

That token type is about providing "the client with the information
required to successfully utilize the access token to make a protected
resource request" (i.e. mac and bearer) and is not about the structure
of the token itself which is what this URI seems to want to describe.
JWTs are usually thought of as bearer type tokens but might someday
have HoK (http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20120430/001860.html)
or mac like constructs.

I don't think there's really a problem with name collisions here but I
think that the current use of token type in the frame work spec is
already the cause of some confusion and I'd hate to exacerbate that.

On Tue, May 1, 2012 at 5:04 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> I’m editing the JWT spec to prepare for the OAuth WG version and to track
> changes in the JOSE specs.  Currently the “typ” values defined for JWT
> tokens are “JWT” and “http://openid.net/specs/jwt/1.0” (see
> http://tools.ietf.org/html/draft-jones-json-web-token-08#section-5).  I
> believe that the URN value should be changed to use a URN taken from the
> OAuth URN namespace urn:ietf:params:oauth (defined in
> http://tools.ietf.org/html/draft-ietf-oauth-urn-sub-ns-02).
>
>
>
> I propose to use the URN:
>
>                urn:ietf:params:oauth:token-type:jwt
>
>
>
> I believe this fits well with the other four uses of this namespace to date:
>
>                urn:ietf:params:oauth:grant-type:saml2-bearer
>
>                urn:ietf:params:oauth:client-assertion-type:saml2-bearer
>
>                urn:ietf:params:oauth:grant-type:jwt-bearer
>
>                urn:ietf:params:oauth:client-assertion-type:jwt-bearer
>
>
>
> (The first two are from
> http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-11.  The latter two
> are from http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-04.)
>
>
>
> Do people agree with this URN choice?
>
>
>
>                                                             Thanks,
>
>                                                             -- Mike
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>