Re: [OAUTH-WG] JWT - scope claim missing
prateek mishra <prateek.mishra@oracle.com> Thu, 28 February 2013 20:44 UTC
Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 909A121F89B2 for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 12:44:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.565
X-Spam-Level:
X-Spam-Status: No, score=-6.565 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KMHFl3lMnFdW for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 12:44:05 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id B9CCF21F89CC for <oauth@ietf.org>; Thu, 28 Feb 2013 12:44:03 -0800 (PST)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r1SKi2V6016227 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 28 Feb 2013 20:44:03 GMT
Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r1SKi1ha015048 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 28 Feb 2013 20:44:02 GMT
Received: from abhmt110.oracle.com (abhmt110.oracle.com [141.146.116.62]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id r1SKi1Ad023595; Thu, 28 Feb 2013 14:44:01 -0600
Received: from [10.152.55.88] (/10.152.55.88) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 28 Feb 2013 12:44:00 -0800
Message-ID: <512FC18D.1020803@oracle.com>
Date: Thu, 28 Feb 2013 15:43:57 -0500
From: prateek mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: oauth@ietf.org, Brian Campbell <bcampbell@pingidentity.com>
References: <0EC2404F-E3C5-4AD1-88B4-E74AA0394DD9@gmx.net> <C75E4871-E907-4EF7-BAF0-9D1A172D581B@ve7jtb.com> <CA6A6425-D0CE-469F-B51E-9F296DA8041C@oracle.com> <CA+k3eCREgN+6z+U=jjJcPo0nZVR0GWn5zXeecZRO+rg=xd-gZg@mail.gmail.com> <A2375FE9-946F-46B3-9356-0709DD56BD4A@ve7jtb.com> <48FD87D1-4DF4-4289-99B7-40A515F31890@oracle.com> <3E472720-31A4-40A0-AAA4-402CF850831A@ve7jtb.com> <7127843B-D7B0-4AB6-87F1-1604D1EFFA79@oracle.com> <50DA292F-32F0-4266-8401-006AD837B775@ve7jtb.com> <CA+k3eCSyE3cPMh17XuivbUZUtHY=RAtjV1UeCdW6gGFk+gv02A@mail.gmail.com>
In-Reply-To: <CA+k3eCSyE3cPMh17XuivbUZUtHY=RAtjV1UeCdW6gGFk+gv02A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010101070200010105050902"
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Subject: Re: [OAUTH-WG] JWT - scope claim missing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2013 20:44:06 -0000
SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants Assertion Framework for OAuth 2.0 <as above> a bit wordy, but does get the point across IMO - prateek > I'm not sure anyone really "picked" the titles for the bearer token > profiles. They just kind of evolved. And evolved in funny ways > especially when client authn to the AS was added. > > You won't hear me argue that the titles are "good" and this is not the > first time there's been confusion about what they actually do. They > define new grant types and new client authentication methods. They *do > not* define an access token format or anything else about access > tokens. JWT and SAML could be used for that but that's not what these > drafts do. > > Suggestions for better title(s) would be more than welcome. > > Here's what they are now: > > SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 > draft-ietf-oauth-saml2-bearer > > JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 > draft-ietf-oauth-jwt-bearer > > Assertion Framework for OAuth 2.0 > draft-ietf-oauth-assertions > > On Thu, Feb 28, 2013 at 11:36 AM, John Bradley <ve7jtb@ve7jtb.com > <mailto:ve7jtb@ve7jtb.com>> wrote: > > Yes the title likely adds to the confusion given that the bearer > tokens are not access tokens. > > Things as separate from OAuth as the Firefox browerID spec use JWS > signed JWTs. > > The bearer token profiles for OAuth 2 are for OAuth2. > > The JSON Web Token (JWT) > <http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06> spec > did not start in OAuth and is not OAuth specific. > > A JWT is: > > JSON Web Token (JWT) A string representing a set of claims as a JSON > object that is encoded in a JWS or JWE, enabling the claims to be > digitally signed or MACed and/or encrypted. > > > So OAuth or other profiles may define claims to go in a JWT, but > the JWT needs to itself only define the claims necessary for > security processing. > > John B. > PS that was a soft ball If you hadn't responded I would have been > disappointed. I din't pick the title for the bearer token profiles. > > > On 2013-02-28, at 10:12 AM, Phil Hunt <phil.hunt@oracle.com > <mailto:phil.hunt@oracle.com>> wrote: > >> >> >> >> JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 >> >> >> Note the title says "for OAuth2" >> >> Sorry. Couldn't resist. >> >> Phil >> >> Sent from my phone. >> >> On 2013-02-28, at 9:40, John Bradley <ve7jtb@ve7jtb.com >> <mailto:ve7jtb@ve7jtb.com>> wrote: >> >>> JWT is an assertion( I am probably going to regret using that >>> word). >>> >>> It is used in openID connect for id_tokens, it is used in OAuth >>> for Assertion grant types and authentication of the client to >>> the token endpoint. >>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-04 >>> >>> >>> JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 >>> >>> >>> Dosen't define JWT's use for access tokens for the RS. >>> >>> Bottom line JWT is for more than access tokens. >>> >>> John B. >>> >>> On 2013-02-28, at 9:28 AM, Phil Hunt <phil.hunt@oracle.com >>> <mailto:phil.hunt@oracle.com>> wrote: >>> >>>> Are you saying jwt is not an access token type? >>>> >>>> Phil >>>> >>>> Sent from my phone. >>>> >>>> On 2013-02-28, at 8:58, John Bradley <ve7jtb@ve7jtb.com >>>> <mailto:ve7jtb@ve7jtb.com>> wrote: >>>> >>>>> Yes, defining scope in JWT is the wrong place. JWT needs to >>>>> stick to the security claims needed to process JWT. >>>>> >>>>> I also don't know how far you get requiring a specific >>>>> authorization format for JWT, some AS will wan to use a opaque >>>>> reference, some might want to use a user claim or role claim, >>>>> others may use scopes, combining scopes and claims is also >>>>> possible. >>>>> >>>>> Right now it is up to a AS RS pair to agree on how to >>>>> communicate authorization. I don't want MAC to be more >>>>> restrictive than bearer when it comes to authorization between >>>>> AS and RS. >>>>> >>>>> Hannes wanted to know why JWT didn't define scope. The simple >>>>> answer is that it is out of scope for JWT itself. It might >>>>> be defined in a OAuth access token profile for JWT but it >>>>> should not be specific to MAC. >>>>> >>>>> John B. >>>>> On 2013-02-28, at 8:44 AM, Brian Campbell >>>>> <bcampbell@pingidentity.com >>>>> <mailto:bcampbell@pingidentity.com>> wrote: >>>>> >>>>>> I think John's point was more that scope is something rather >>>>>> specific to an OAuth access token and, while JWT is can be >>>>>> used to represent an access token, it's not the only >>>>>> application of JWT. The 'standard' claims in JWT are those >>>>>> that are believed (right or wrong) to be widely applicable >>>>>> across different applications of JWT. One could argue about >>>>>> it but scope is probably not one of those. >>>>>> >>>>>> It would probably make sense to try and build a profile of >>>>>> JWT specifically for OAuth access tokens (though I suspect >>>>>> there are some turtles and dragons in there), which might be >>>>>> the appropriate place to define/register a scope claim. >>>>>> >>>>>> >>>>>> On Thu, Feb 28, 2013 at 9:24 AM, Phil Hunt >>>>>> <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote: >>>>>> >>>>>> Are you advocating TWO systems? That seems like a bad choice. >>>>>> >>>>>> I would rather fix scope than go to a two system approach. >>>>>> >>>>>> Phil >>>>>> >>>>>> Sent from my phone. >>>>>> >>>>>> On 2013-02-28, at 8:17, John Bradley <ve7jtb@ve7jtb.com >>>>>> <mailto:ve7jtb@ve7jtb.com>> wrote: >>>>>> >>>>>> > While scope is one method that a AS could communicate >>>>>> authorization to a RS, it is not the only or perhaps even >>>>>> the most likely one. >>>>>> > Using scope requires a relatively tight binding between >>>>>> the RS and AS, UMA uses a different mechanism that >>>>>> describes finer grained operations. >>>>>> > The AS may include roles, user, or other more abstract >>>>>> claims that the the client may (god help them) pass on to >>>>>> EXCML for processing. >>>>>> > >>>>>> > While having a scopes claim is possible, like any other >>>>>> claim it is not part of the JWT core security processing >>>>>> claims, and needs to be defined by extension. >>>>>> > >>>>>> > John B. >>>>>> > On 2013-02-28, at 2:29 AM, Hannes Tschofenig >>>>>> <hannes.tschofenig@gmx.net >>>>>> <mailto:hannes.tschofenig@gmx.net>> wrote: >>>>>> > >>>>>> >> Hi Mike, >>>>>> >> >>>>>> >> when I worked on the MAC specification I noticed that >>>>>> the JWT does not have a claim for the scope. I believe >>>>>> that this would be needed to allow the resource server to >>>>>> verify whether the scope the authorization server >>>>>> authorized is indeed what the client is asking for. >>>>>> >> >>>>>> >> Ciao >>>>>> >> Hannes >>>>>> >> >>>>>> >> _______________________________________________ >>>>>> >> OAuth mailing list >>>>>> >> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>> >> https://www.ietf.org/mailman/listinfo/oauth >>>>>> > >>>>>> > _______________________________________________ >>>>>> > OAuth mailing list >>>>>> > OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>> > https://www.ietf.org/mailman/listinfo/oauth >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>>> >>>>> >>> > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- [OAUTH-WG] JWT - scope claim missing Hannes Tschofenig
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Hannes Tschofenig
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Justin Richer
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Justin Richer
- Re: [OAUTH-WG] JWT - scope claim missing Mike Jones
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing prateek mishra
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Mike Jones
- Re: [OAUTH-WG] JWT - scope claim missing Nat Sakimura
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Nat Sakimura
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Eve Maler
- Re: [OAUTH-WG] JWT - scope claim missing Richer, Justin P.
- Re: [OAUTH-WG] JWT - scope claim missing prateek mishra