Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12

Mike Jones <> Wed, 18 April 2018 22:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 584F8127909 for <>; Wed, 18 Apr 2018 15:58:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4P7Em9A9i6Iz for <>; Wed, 18 Apr 2018 15:58:49 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0E9C4126D05 for <>; Wed, 18 Apr 2018 15:58:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=nKmJDqLsg+R+JxVXtdK3PMes0e0g/zRbWtafOT01Ba0=; b=RoI9koxfqDdv3PAjlj05jgXxq1qr97n47fY+682PI/KdyDL4mLa0ly27QPtIN54Oe7jGs1XIKq/l7W006h+tBHFd36fXBlFVaLXWylZ1vCx44ab0FiQp+u6CMC61TcVP+P3PdZWRwT2DfTqDKfftTcBSDy3cfl3HFwPPp6cebTo=
Received: from (2603:10b6:302:8::29) by (2603:10b6:302:9::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.732.0; Wed, 18 Apr 2018 22:58:46 +0000
Received: from ([fe80::14fe:50f9:a696:970d]) by ([fe80::14fe:50f9:a696:970d%4]) with mapi id 15.20.0733.000; Wed, 18 Apr 2018 22:58:46 +0000
From: Mike Jones <>
To: Brian Campbell <>, Torsten Lodderstedt <>
CC: oauth <>
Thread-Topic: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12
Thread-Index: AQHT1NjgJy8mHwoFFk6XUY9K9SCN+aQGpvqAgACAzaA=
Date: Wed, 18 Apr 2018 22:58:46 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MW2PR00MB0396; 7:ZPnPxrVzuTxPoANxJd70D8xb3dXnTbTwn7paDUUO773l483HeGrOqbytfjoqfLxg6td2+zbuUcenM/t1sko1/886UlK4ojCKjKmZnAJztwGiJlqidmZgGOfoGQHxBg4hU5810Xf1MB83hyJKuXSQQd2vxyqwR8WCVkpnk4nuEYb/ROsYpnqDvC3Kr2HcNwagXuAQoAlTwHE5mP+NGZbmkPsLIU19mnyFrz3gXVKyRt+y6Gngfr5TALmT4RPdMlM9; 20:AmvOYFFRImCy0+KQV9z1jYePBhDPt5sCMdI2u3K7mkYL8qddmT4GrS+P3ir1W7QI4nSfovI81pOFiO7hsyIwNAhenAsIbBSh7z77LbPg77L0M2bQnuUyLbQxEJikm5CDLIpitqjbixYmt4wbpmX7pZqhzXk/su43K72tJl4N2zc=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(2017052603328)(7193020); SRVR:MW2PR00MB0396;
x-ms-traffictypediagnostic: MW2PR00MB0396:
authentication-results:; spf=skipped (originating message); dkim=none (message not signed) header.d=none; dmarc=none action=none;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(28532068793085)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(61425038)(6040522)(2401047)(8121501046)(5005006)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(93006095)(93001095)(10201501046)(3002001)(3231232)(944501368)(52105095)(6055026)(61426038)(61427038)(6041310)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:MW2PR00MB0396; BCL:0; PCL:0; RULEID:; SRVR:MW2PR00MB0396;
x-forefront-prvs: 06469BCC91
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(396003)(366004)(39380400002)(39860400002)(53754006)(19609705001)(7736002)(8990500004)(74316002)(5660300001)(81166006)(10090500001)(8676002)(5890100001)(102836004)(5250100002)(7696005)(11346002)(52396003)(76176011)(59450400001)(53546011)(26005)(6506007)(86612001)(6116002)(790700001)(3846002)(186003)(446003)(8936002)(606006)(476003)(86362001)(99286004)(6436002)(966005)(72206003)(10290500003)(229853002)(22452003)(25786009)(316002)(33656002)(110136005)(54896002)(2900100001)(53936002)(236005)(66066001)(9686003)(6246003)(6306002)(4326008)(478600001)(14454004)(2906002); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR00MB0396;; FPR:; SPF:None; LANG:en; MLV:sfv;
x-microsoft-antispam-message-info: kYnSsToplTQxgJuI4QkgiofEBLo/LmUffOWyeDZMXHt35Mv18urEK5zvGcIKfPhNM9uOBn/URoaQ3u8EwDXpyYjwQraKTHonkzu2rMxcp+l2UFGBqcBMgBjhkIvoInP391Gj84dZ8f1ZIoUbH9iLf7vdIfUm2YkL3T2iBmg6rWC76bO4u91GOCnQpezgniaK
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MW2PR00MB029825EA57103F4FFD0DB57DF5B60MW2PR00MB0298namp_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: a88b3dd0-4232-44c2-ee5c-08d5a57ff11f
X-MS-Exchange-CrossTenant-Network-Message-Id: a88b3dd0-4232-44c2-ee5c-08d5a57ff11f
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2018 22:58:46.5342 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR00MB0396
Archived-At: <>
Subject: Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Apr 2018 22:58:52 -0000

I’m OK with this change, given it makes the OAuth suite of specs more self-consistent.

                                                       -- Mike

From: OAuth <> On Behalf Of Brian Campbell
Sent: Wednesday, April 18, 2018 8:17 AM
To: Torsten Lodderstedt <>
Cc: oauth <>
Subject: Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12

The draft-ietf-oauth-token-exchange document makes use of scope and at some point in that work it came to light that, despite the concept of scope being used lots of places elsewhere, there was no officially registered JWT claim for scope. As a result, we (the WG) decided to have draft-ietf-oauth-token-exchange define and register a JWT claim for scope. It's kind of an awkward place for it really but that's how it came to be there.
When I added it to the draft, I opted for the semi-convention of JWT using three letter short claim names.. And decided to use a JSON array to convey multiple values rather than space delimiting. It seemed like a good idea at the time - more consistent with other JWT claim names and cleaner to use the facilities of JSON rather than a delimited string. That was the thinking at the time anyway and, as I recall, I asked the WG about doing it that way at one of the meetings and there was general, if somewhat absent, nodding in the room.
Looking at this again in the context of the question from Torsten and his developers, I think using a different name and syntax for the JWT claim vs.. the Introspection response member/parameter/claim is probably a mistake.  While RFC 7662 Introspection response parameters aren't exactly the same as JWT claims, they are similar in many respects. So giving consistent treatment across them to something like scope is
Therefore I propose that the JWT claim for representing scope in draft-ietf-oauth-token-exchange be changed to be consistent with the treatment of scope in RFC 7662 OAuth 2.0 Token Introspection. That effectively means changing the name from "scp" to "scope" and the value from a JSON array to a string delimited by spaces.
I realize it's late in the process to make this change but believe doing so will significantly reduce confusion and issues in the long run.

On Sun, Apr 15, 2018 at 10:43 AM, Torsten Lodderstedt <<>> wrote:
Hi all,

I I’m wondering why draft-ietf-oauth-token-exchange-12 defines a claim „scp“ to carry scope values while RFC 7591 and RFC 7662 use a claim „scope“ for the same purpose. As far as I understand the text, the intension is to represent a list of RFC6749 scopes. Is this correct? What’s the rationale behind?

Different claim names for representing scope values confuse people. I realized that when one of our developers pointed out that difference recently.

best regards,
OAuth mailing list<>

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.