Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-07.txt

Vittorio Bertocci <> Mon, 27 April 2020 18:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3B72E3A1693 for <>; Mon, 27 Apr 2020 11:29:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2zEGu6Myv03P for <>; Mon, 27 Apr 2020 11:29:28 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F0F643A0C57 for <>; Mon, 27 Apr 2020 11:29:25 -0700 (PDT)
Received: by with SMTP id d17so9076331pgo.0 for <>; Mon, 27 Apr 2020 11:29:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:to:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :content-transfer-encoding:mime-version; bh=9M7O7QSw0Va+3zwNvH8cog3Yq5Jtc0e8/SJVh6Ej12o=; b=bgopsXpkzDUEuz+2rmMnL2z163dJyk3TwWtX5CeOEL8ErkS+E5Ack31wBOZomKhUgu zEx56Gsje89T+PStQnFDE8GnA0GlmU9gesDlSGxRh1V6jCft/oWZc6GtJATCEmPac/qv Z3STvrJqIXjNeKTNI48OjrfIZBKy93tyMHwnyGFNy3OV9WvGzlkI0bgzofECOolt4l8p uegZQoOm5+TINvLod7vp22ZGJCwc/WB3NvARitWOJBchEsqGyjPTM6wpPfQapiqZeAfK 3uTN25Ucu/Y4uIljohaTnhQ9oMD8fTbS1Z5Zki1B82f4ZYMAXdvQh9j8bTv28UYdA0S+ Zw/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:references:in-reply-to:accept-language:content-language :content-transfer-encoding:mime-version; bh=9M7O7QSw0Va+3zwNvH8cog3Yq5Jtc0e8/SJVh6Ej12o=; b=t6nz5iYq0ykjJ1A1W7/YhphAAmU10cCeB/zBm2q/R8j71Crq+1OApwxOL6q7Y42uI3 s844zD5Vo1gE82YV1lL9GwmhKvVDYcgnV7OCFBA14DiKOW2/hyjKvKRgZSIEl4lf+60a j9YjoFKszXF8pjP5srscQYfI/GLGHSLq7ZBX/k/T6jPrgWEuZ6zPaJfhaO5VOERJ9FOe bX5p/KQvmcIbyfuRQyeswQHp3yBV63CNMBEEcUFgLohAlGfvL4vCM6/wAKKKqnUHGXuY EhjAuE1gLVluTpwkwmtWreYeUqHvfoW1bp1TOOi+pspHgHnxnm4dKJk6EQQc94hr+bj9 bJjg==
X-Gm-Message-State: AGi0PuYSAtmbPeeshjmColrXIrAaq4L0NZPcVreD1YRtY0nAxio6Xcgl iZnj2DdcYBnaedO+03tL1VXhOsxSLNCnGY1Zphc48+q3NVMLthg96yw1GANovTzt5mbbjjGY4Yx bR3Px9ha6xS0mjPlqC8aec7oz26gV6rSAPNoI9j3KF56EWNUiRfneZljx2y33O5VrmQ==
X-Google-Smtp-Source: APiQypJf1gH5d2XoFRe+Cd0A+bYKCJwtnYb7iOJtuWj/MyqPjOnCcYtrqTncHvGluhNltRZtjEGKtw==
X-Received: by 2002:a62:3c5:: with SMTP id 188mr24905450pfd.41.1588012164529; Mon, 27 Apr 2020 11:29:24 -0700 (PDT)
Received: from ([2603:1036:120:1d::5]) by with ESMTPSA id a2sm12913348pfg.106.2020. for <> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Apr 2020 11:29:24 -0700 (PDT)
From: Vittorio Bertocci <>
To: "" <>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-07.txt
Thread-Index: ATQzODE5SVVygopWvzbdJoJXmDhTisPTEylj
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Mon, 27 Apr 2020 18:29:23 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-07.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 27 Apr 2020 18:29:36 -0000

Dear all,
Thanks for all the feedback at the last round. Here’s a new version of the draft incorporating your suggestions. Main changes:

-Added the None prohibition in section 2.1 as well
-Incorporated language suggestions from Dominick (and fixed the spelling of his last name ;))
-Clarified cases in which identity claims might appear in a JWT AT
-Various typos, formatting issues fixed

On 4/27/20, 11:27, "OAuth on behalf of" < on behalf of> wrote:

    A New Internet-Draft is available from the on-line Internet-Drafts directories.
    This draft is a work item of the Web Authorization Protocol WG of the IETF.
            Title           : JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
            Author          : Vittorio Bertocci
    	Filename        : draft-ietf-oauth-access-token-jwt-07.txt
    	Pages           : 19
    	Date            : 2020-04-27
       This specification defines a profile for issuing OAuth 2.0 access
       tokens in JSON web token (JWT) format.  Authorization servers and
       resource servers from different vendors can leverage this profile to
       issue and consume access tokens in interoperable manner.
    The IETF datatracker status page for this draft is:
    There are also htmlized versions available at:
    A diff from the previous version is available at:
    Please note that it may take a couple of minutes from the time of submission
    until the htmlized version and diff are available at
    Internet-Drafts are also available by anonymous FTP at:
    OAuth mailing list