Re: [OAUTH-WG] JWT - scope claim missing

prateek mishra <prateek.mishra@oracle.com> Thu, 28 February 2013 20:44 UTC

Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 909A121F89B2 for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 12:44:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.565
X-Spam-Level:
X-Spam-Status: No, score=-6.565 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KMHFl3lMnFdW for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 12:44:05 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id B9CCF21F89CC for <oauth@ietf.org>; Thu, 28 Feb 2013 12:44:03 -0800 (PST)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r1SKi2V6016227 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 28 Feb 2013 20:44:03 GMT
Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r1SKi1ha015048 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 28 Feb 2013 20:44:02 GMT
Received: from abhmt110.oracle.com (abhmt110.oracle.com [141.146.116.62]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id r1SKi1Ad023595; Thu, 28 Feb 2013 14:44:01 -0600
Received: from [10.152.55.88] (/10.152.55.88) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 28 Feb 2013 12:44:00 -0800
Message-ID: <512FC18D.1020803@oracle.com>
Date: Thu, 28 Feb 2013 15:43:57 -0500
From: prateek mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: oauth@ietf.org, Brian Campbell <bcampbell@pingidentity.com>
References: <0EC2404F-E3C5-4AD1-88B4-E74AA0394DD9@gmx.net> <C75E4871-E907-4EF7-BAF0-9D1A172D581B@ve7jtb.com> <CA6A6425-D0CE-469F-B51E-9F296DA8041C@oracle.com> <CA+k3eCREgN+6z+U=jjJcPo0nZVR0GWn5zXeecZRO+rg=xd-gZg@mail.gmail.com> <A2375FE9-946F-46B3-9356-0709DD56BD4A@ve7jtb.com> <48FD87D1-4DF4-4289-99B7-40A515F31890@oracle.com> <3E472720-31A4-40A0-AAA4-402CF850831A@ve7jtb.com> <7127843B-D7B0-4AB6-87F1-1604D1EFFA79@oracle.com> <50DA292F-32F0-4266-8401-006AD837B775@ve7jtb.com> <CA+k3eCSyE3cPMh17XuivbUZUtHY=RAtjV1UeCdW6gGFk+gv02A@mail.gmail.com>
In-Reply-To: <CA+k3eCSyE3cPMh17XuivbUZUtHY=RAtjV1UeCdW6gGFk+gv02A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010101070200010105050902"
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Subject: Re: [OAUTH-WG] JWT - scope claim missing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2013 20:44:06 -0000

SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization 
Grants
JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants
Assertion Framework for OAuth 2.0 <as above>

a bit wordy, but does get the point across IMO

- prateek
> I'm not sure anyone really "picked" the titles for the bearer token 
> profiles. They just kind of evolved. And evolved in funny ways 
> especially when client authn to the AS was added.
>
> You won't hear me argue that the titles are "good" and this is not the 
> first time there's been confusion about what they actually do. They 
> define new grant types and new client authentication methods. They *do 
> not* define an access token format or anything else about access 
> tokens. JWT and SAML could be used for that but that's not what these 
> drafts do.
>
> Suggestions for better title(s) would be more than welcome.
>
> Here's what they are now:
>
> SAML 2.0 Bearer Assertion Profiles for OAuth 2.0
> draft-ietf-oauth-saml2-bearer
>
> JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
> draft-ietf-oauth-jwt-bearer
>
> Assertion Framework for OAuth 2.0
> draft-ietf-oauth-assertions
>
> On Thu, Feb 28, 2013 at 11:36 AM, John Bradley <ve7jtb@ve7jtb.com 
> <mailto:ve7jtb@ve7jtb.com>> wrote:
>
>     Yes the title likely adds to the confusion given that the bearer
>     tokens are not access tokens.
>
>     Things as separate from OAuth as the Firefox browerID spec use JWS
>     signed JWTs.
>
>     The bearer token profiles for OAuth 2 are for OAuth2.
>
>     The JSON Web Token (JWT)
>     <http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06> spec
>     did not start in OAuth and is not OAuth specific.
>
>     A JWT is:
>
>     JSON Web Token (JWT)  A string representing a set of claims as a JSON
>            object that is encoded in a JWS or JWE, enabling the claims to be
>            digitally signed or MACed and/or encrypted.
>
>
>     So OAuth or other profiles may define claims to go in a JWT, but
>     the JWT needs to itself only define the claims necessary for
>     security processing.
>
>     John B.
>     PS that was a soft ball If you hadn't responded I would have been
>     disappointed.  I din't pick the title for the bearer token profiles.
>
>
>     On 2013-02-28, at 10:12 AM, Phil Hunt <phil.hunt@oracle.com
>     <mailto:phil.hunt@oracle.com>> wrote:
>
>>              
>>
>>
>>       JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
>>
>>
>>     Note the title says "for OAuth2"
>>
>>     Sorry. Couldn't resist.
>>
>>     Phil
>>
>>     Sent from my phone.
>>
>>     On 2013-02-28, at 9:40, John Bradley <ve7jtb@ve7jtb.com
>>     <mailto:ve7jtb@ve7jtb.com>> wrote:
>>
>>>     JWT is an assertion( I am probably going to regret using that
>>>     word).
>>>
>>>     It is used in openID connect for id_tokens, it is used in OAuth
>>>     for Assertion grant types and authentication of the client to
>>>     the token endpoint.
>>>     http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-04
>>>
>>>
>>>       JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
>>>
>>>
>>>     Dosen't define JWT's use for access tokens for the RS.
>>>
>>>     Bottom line JWT is for more than access tokens.
>>>
>>>     John B.
>>>
>>>     On 2013-02-28, at 9:28 AM, Phil Hunt <phil.hunt@oracle.com
>>>     <mailto:phil.hunt@oracle.com>> wrote:
>>>
>>>>     Are you saying jwt is not an access token type?
>>>>
>>>>     Phil
>>>>
>>>>     Sent from my phone.
>>>>
>>>>     On 2013-02-28, at 8:58, John Bradley <ve7jtb@ve7jtb.com
>>>>     <mailto:ve7jtb@ve7jtb.com>> wrote:
>>>>
>>>>>     Yes, defining scope in JWT is the wrong place.   JWT needs to
>>>>>     stick to the security claims needed to process JWT.
>>>>>
>>>>>     I also don't know how far you get requiring a specific
>>>>>     authorization format for JWT, some AS will wan to use a opaque
>>>>>     reference, some might want to use a user claim or role claim,
>>>>>     others may use scopes,  combining scopes and claims is also
>>>>>     possible.
>>>>>
>>>>>     Right now it is up to a AS RS pair to agree on how to
>>>>>     communicate authorization.   I don't want MAC to be more
>>>>>     restrictive than bearer when it comes to authorization between
>>>>>     AS and RS.
>>>>>
>>>>>     Hannes wanted to know why JWT didn't define scope.  The simple
>>>>>     answer is that it is out of scope for JWT itself.   It might
>>>>>     be defined in a OAuth access token profile for JWT but it
>>>>>     should not be specific to MAC.
>>>>>
>>>>>     John B.
>>>>>     On 2013-02-28, at 8:44 AM, Brian Campbell
>>>>>     <bcampbell@pingidentity.com
>>>>>     <mailto:bcampbell@pingidentity.com>> wrote:
>>>>>
>>>>>>     I think John's point was more that scope is something rather
>>>>>>     specific to an OAuth access token and, while JWT is can be
>>>>>>     used to represent an access token, it's not the only
>>>>>>     application of JWT. The 'standard' claims in JWT are those
>>>>>>     that are believed (right or wrong) to be widely applicable
>>>>>>     across different applications of JWT. One could argue about
>>>>>>     it but scope is probably not one of those.
>>>>>>
>>>>>>     It would probably make sense to try and build a profile of
>>>>>>     JWT specifically for OAuth access tokens (though I suspect
>>>>>>     there are some turtles and dragons in there), which might be
>>>>>>     the appropriate place to define/register a scope claim.
>>>>>>
>>>>>>
>>>>>>     On Thu, Feb 28, 2013 at 9:24 AM, Phil Hunt
>>>>>>     <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
>>>>>>
>>>>>>         Are you advocating TWO systems? That seems like a bad choice.
>>>>>>
>>>>>>         I would rather fix scope than go to a two system approach.
>>>>>>
>>>>>>         Phil
>>>>>>
>>>>>>         Sent from my phone.
>>>>>>
>>>>>>         On 2013-02-28, at 8:17, John Bradley <ve7jtb@ve7jtb.com
>>>>>>         <mailto:ve7jtb@ve7jtb.com>> wrote:
>>>>>>
>>>>>>         > While scope is one method that a AS could communicate
>>>>>>         authorization to a RS, it is not the only or perhaps even
>>>>>>         the most likely one.
>>>>>>         > Using scope requires a relatively tight binding between
>>>>>>         the RS and AS,  UMA uses a different mechanism that
>>>>>>         describes finer grained operations.
>>>>>>         > The AS may include roles, user, or other more abstract
>>>>>>         claims that the the client may (god help them) pass on to
>>>>>>         EXCML for processing.
>>>>>>         >
>>>>>>         > While having a scopes claim is possible, like any other
>>>>>>         claim it is not part of the JWT core security processing
>>>>>>         claims, and needs to be defined by extension.
>>>>>>         >
>>>>>>         > John B.
>>>>>>         > On 2013-02-28, at 2:29 AM, Hannes Tschofenig
>>>>>>         <hannes.tschofenig@gmx.net
>>>>>>         <mailto:hannes.tschofenig@gmx.net>> wrote:
>>>>>>         >
>>>>>>         >> Hi Mike,
>>>>>>         >>
>>>>>>         >> when I worked on the MAC specification I noticed that
>>>>>>         the JWT does not have a claim for the scope. I believe
>>>>>>         that this would be needed to allow the resource server to
>>>>>>         verify whether the scope the authorization server
>>>>>>         authorized is indeed what the client is asking for.
>>>>>>         >>
>>>>>>         >> Ciao
>>>>>>         >> Hannes
>>>>>>         >>
>>>>>>         >> _______________________________________________
>>>>>>         >> OAuth mailing list
>>>>>>         >> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>         >> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>         >
>>>>>>         > _______________________________________________
>>>>>>         > OAuth mailing list
>>>>>>         > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>         > https://www.ietf.org/mailman/listinfo/oauth
>>>>>>         _______________________________________________
>>>>>>         OAuth mailing list
>>>>>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>         https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>>
>>>>>
>>>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth