IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 question

Deepak Tiwari <deepak.tiwari@intigate.in> Tue, 22 September 2020 06:25 UTC

Return-Path: <deepak.tiwari@intigate.in>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1B283A1416 for <oauth@ietfa.amsl.com>; Mon, 21 Sep 2020 23:25:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.855
X-Spam-Level:
X-Spam-Status: No, score=-0.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intigate.in
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bTvDf4vy9XCj for <oauth@ietfa.amsl.com>; Mon, 21 Sep 2020 23:25:20 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 726AF3A1417 for <oauth@ietf.org>; Mon, 21 Sep 2020 23:25:20 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id v23so13157372ljd.1 for <oauth@ietf.org>; Mon, 21 Sep 2020 23:25:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intigate.in; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NmUVMjTmvfYLDJrIQka/Cyb1B6LnvdWspqilIAxCUx8=; b=CE5WQlZN9GdHC/u5rM1mg65LH/Io/3+3w0RheZr377mF8i3L11ItPbLFRvlEGLpZ8h oGAJpVeTB/sUy986wy+U2lWsfBfC9BAckOX7eJW3BMStWmO3ZYXUdyzRB9+P2uaAVxkE mmv7qijwhbzitLEhXnB6eyllzdBURkNx4VPeWSJdR22zy6b1C4GOCJOmDsk34CVHFNp9 BXaC2gVSku3oOn73XA0XnDXUm8aTgwR7jHVb+QP8HFNqp/mAoFbIRXbp663cA2lwFeaz 2WJbHd0Q4eKgt4LBFNYvjUvqIAae9DeVTM+VdOL0xd4cHy/kKcz6tMjExmy+5pmIc/zD KGQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NmUVMjTmvfYLDJrIQka/Cyb1B6LnvdWspqilIAxCUx8=; b=aoSSfcCFtCszsLc6dvOkrUGAYp7clAFcIHmPiheivceNx9cH2PDOqiWF5b189SkFPR YSBzB5Ger5zgZJVlxhTC1rA9nVNdMlaFCen1UFDZS0aLw69KuLO/me69eidD3kfN8t79 4Tg7h6UC/TNbomAC2p95IA9uSmf/UEVBQ/hrOZYP0KIPXbQgmEJL2uILqvzj8sO4dHzo dVepTWdt2c4QgUNea1NzaAnqe+bANVcJGQspcRLRkuCCxHCoU/KzBULdPBhyA2oLGT5T SyMdcLlgRg8iHfOO/q1NhWlkpfFCe7iHsMtsCT23uamZ4TcUkEgWpVKa/SmakHarv5uK eUXA==
X-Gm-Message-State: AOAM531DD8YNGMUBRmuX7aOs6/INW0ZBtVk3o4SwI8K17wLfMgFwIT/A VOKeKprj+uCXsgjVUQ7LY4MqnyyJXdtlR7szjEUDkg==
X-Google-Smtp-Source: ABdhPJwvWzxA1RymG/hWsvN/uBK6by0xsCBhVQcezAA02/C89eD4MjsV5Cj27QySkVkhdNJs3YvBCiKrFCL90YCX8co=
X-Received: by 2002:a05:651c:1190:: with SMTP id w16mr891901ljo.327.1600755918510; Mon, 21 Sep 2020 23:25:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAMmAzEJX=Y=seeDe5T_d8-rr+qAx98fa-9+Qyh3UmnEEZTSoBg@mail.gmail.com> <MWHPR19MB150101C01962881B13665C21AE3C0@MWHPR19MB1501.namprd19.prod.outlook.com> <CA+k3eCS56bUPs-pdTFYbtMuNKrQeG+orND7wu8r6r_ZEBbQs_A@mail.gmail.com> <CAMmAzEKs-wZThnZsYyG5o3f0d_Fr-5UYvBjwS16o3rajq+NTmg@mail.gmail.com>
In-Reply-To: <CAMmAzEKs-wZThnZsYyG5o3f0d_Fr-5UYvBjwS16o3rajq+NTmg@mail.gmail.com>
From: Deepak Tiwari <deepak.tiwari@intigate.in>
Date: Tue, 22 Sep 2020 11:59:55 +0530
Message-ID: <CADCNZN8QYvGk5zuGDVO+ugyz5d20OhaCFuCcRQi5VEN3OTaP4A@mail.gmail.com>
To: Logan Widick <logan.widick@gmail.com>
Cc: Brian Campbell <bcampbell@pingidentity.com>, Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e52e6605afe107c7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FEklm5LJlyXFrUzyG8HqwbpqGIE>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 question
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 06:25:24 -0000

Please remove my email from the conversation

On Tue, Sep 22, 2020 at 7:39 AM Logan Widick <logan.widick@gmail.com> wrote:

> If I understand "The intent would be to present that information in the
> same way you would when querying a users/<id>, encoded in claims" correctly,
> the "roles", "groups", and "entitlements" claims are the same types as the
> "roles", "groups", and "entitlements" attributes of the User resource
> schema (pages 24-25 of RFC 7643 for the text; pages 63-67 of RFC 7643 for
> the schema)? In the schema the attributes are all "complex" (object) type
> and "multivalued" (array of), although the text for some of these
> attributes has some "No vocabulary or syntax..." remarks.
>
> If that understanding is correct, it might be a good idea to replace the
> references to "RFC 7643", "Section 4.1.2 of RFC 7643", and "RFC 7643,
> Section 4.1.2" with something more specific like "the ____ attribute(s) of
> the User resource schema from Section 4.1.2 of RFC 7643".
>
> On Mon, Sep 21, 2020, 15:33 Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>> At some point I'm going to be among the lucky few who will be asked to
>> review the JWT claims registration request. One of the criteria to consider
>> is "whether the registration description is clear" and Logan's questions
>> suggest that perhaps the descriptions of these claims are not sufficiently
>> clear. My assumption was that the claim value for "roles", "groups" and
>> "entitlements" was going to be an array of strings. Trying to validate my
>> assumption, I went looking at the text in
>> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-09#section-2.2.3.1
>> and
>> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-09#section-7.2
>> and followed the reference to
>> https://tools.ietf.org/html/rfc7643#section-4.1.2 and, honestly, it
>> wasn't particularly clear to me. Maybe it's my lack of familiarity with the
>> details of SCIM and the language of RFC 7643. But I think that, for the
>> sake of clarity and interoperability, some additional specificity is
>> needed.
>>
>> Side note: the "Section 2.2.2.1 of [[this specification]]" references in
>> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-09#section-7.2.1
>> are problmatic (there is no such section in this document) and probably
>> should be to 2.2.3.1.
>>
>> On Fri, Sep 18, 2020 at 6:28 PM Vittorio Bertocci <vittorio.bertocci=
>> 40auth0.com@dmarc.ietf.org> wrote:
>>
>>> Hi Logan,
>>>
>>> Thanks for the note.
>>>
>>> The intent would be to present that information in the same way you
>>> would when querying a users/<id>, encoded in claims; hence groups would be
>>> a list of values representing  what groups the subject belongs to, rather
>>> than a list of full group definitions (with all the other members belonging
>>> to them, for example) which would go beyond the intended use of the
>>> information (supplying authorization information about the subject).
>>>
>>> I tried to keep the language high level as I didn’t want to duplicate
>>> SCIM guidance, or inadvertently narrow down the options products have to
>>> implement this.  If you think this is too vague, we can try to be more
>>> specific.
>>>
>>>
>>>
>>> *From: *OAuth <oauth-bounces@ietf.org> on behalf of Logan Widick <
>>> logan.widick@gmail.com>
>>> *Date: *Wednesday, September 16, 2020 at 14:21
>>> *To: *"oauth@ietf.org" <oauth@ietf.org>
>>> *Subject: *[OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 question
>>>
>>>
>>>
>>> I took a look at Section 2.2.3.1: Claims for Authorization Outside of
>>> Delegation Scenarios (
>>> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-08#section-2.2.3.1)
>>> and I do not understand what exactly the formats of the "roles", "groups",
>>> and "entitlements" claims will be.
>>>
>>> Will the "roles" claim be an array of strings (role names, IDs, or
>>> links), an array of the "roles" objects from the SCIM User schema (pages
>>> 66-67 of RFC 7643), or something else?
>>>
>>> Will the "groups" claim be an array of strings (group names, IDs, or
>>> links), an array of the "groups" objects from the SCIM User schema (pages
>>> 63-64 of RFC 7643), an array of SCIM Group schema objects (pages 69-70 of
>>> RFC 7643), or something else?
>>>
>>> Will the "entitlements" claim be an array of strings (entitlement names,
>>> IDs, or links), an array of the "entitlements" objects from the SCIM User
>>> schema (pages 65-66 of RFC 7643), or something else?
>>>
>>> Sincerely,
>>>
>>> Logan Widick
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 

Regards,

*Deepak Tiwari|* Software Engineer
Intigate Technologies Pvt. Ltd. | www.intigate.co.in
Ist Floor, A-119
Sector-63
Noida (U.P.) 201301

v2.30.2 | Report a Bug | By Email | System Status