Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 question
Guilherme Kun <guilhermek@sgsistemas.com.br> Tue, 22 September 2020 12:22 UTC
Return-Path: <guilhermek@sgsistemas.com.br>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A0053A1665 for <oauth@ietfa.amsl.com>; Tue, 22 Sep 2020 05:22:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.855
X-Spam-Level:
X-Spam-Status: No, score=-0.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sgsistemas.com.br
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vK4I1Y2ichz4 for <oauth@ietfa.amsl.com>; Tue, 22 Sep 2020 05:22:35 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84EB43A0CE2 for <oauth@ietf.org>; Tue, 22 Sep 2020 05:22:35 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id w25so791949vsk.9 for <oauth@ietf.org>; Tue, 22 Sep 2020 05:22:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sgsistemas.com.br; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hGwD4JbauezdXr33nuPm145840VVScWbVboR80TGfxI=; b=e3ICFmhiww1or7afXsg1SHdTMjPRxzwtCJ8cBm+HRnGz56eoBDXGgx0XaIqMMILlU9 aEKPWqlBfuQSV6UwEwutb29oxpMXF8ISbbnyqEOZ0soVDNdkgcoGY7Ls222eLxhDXWJQ nByQAUktrOVNpNd3WIWQknCGPrf4lJUwVc3pAg0XiwiwGjrQrnCKutPavXplNdQm0R/7 Lm/kh6yCmcEiNad+3qmaKNAiyEw+tZbBRqTetcQZ3WbuTQkg5iUDEB4w9eaTYEIcoxzR nH7trT6wc6is4cCB6iUATsd8FGlGS1a1ve2jCi7RzXT6rWk8UK8YdF8TGWcfFIUIgvLk lVeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hGwD4JbauezdXr33nuPm145840VVScWbVboR80TGfxI=; b=NktwwvKby3MyZAalE+2gMo/rNAMplc5soN9BczOX8+JNurbGkZWsyVXpcnr5Orr2Ki pQlvPKzqltZGyMSqqmlBsc3azFnjzz1sP3Pk+GC+a+G3xOzrHrdwrYlqDBmlroK3dVN0 NRUxWFHBibWhj8drJsCzZCpFnCFPAVjr14ZtzQnoLev6fD1nUMBc0pxIn/xN6qJPttfc FhMkb0USr/aPP5DWSuSZH0dww3K6wNJe7FSB2ZiOYRKtBIuEbnSFX+/HKQ/sg4/QKYRX HpJdZqi6h6Ohz/Lo4S6h01AvoBshcj2RLblyI60pTxkomqfkutOWV7unzKXxez2R/pVm +3Ug==
X-Gm-Message-State: AOAM530v8wd+kaFP0c1T0Z0VYKON81NwxaoTmzOCoZHQh5JG+rRYyQ+H EiKyV/w8QuaPxmb2VaVr3tZ2MvyT1zOZwvhrCBeDuEnJQUbYOlPs
X-Google-Smtp-Source: ABdhPJyqT0Ha4hatgD6c7FnSOPO9DMSevwFW76MDiJo0lyTHa9yna5Gnrv4yM7EJCZjpwhv89hSTRVhTrfD6yG0J1aU=
X-Received: by 2002:a67:13c6:: with SMTP id 189mr2925609vst.3.1600777354057; Tue, 22 Sep 2020 05:22:34 -0700 (PDT)
MIME-Version: 1.0
References: <CAMmAzEJX=Y=seeDe5T_d8-rr+qAx98fa-9+Qyh3UmnEEZTSoBg@mail.gmail.com> <MWHPR19MB150101C01962881B13665C21AE3C0@MWHPR19MB1501.namprd19.prod.outlook.com> <CA+k3eCS56bUPs-pdTFYbtMuNKrQeG+orND7wu8r6r_ZEBbQs_A@mail.gmail.com> <CAMmAzEKs-wZThnZsYyG5o3f0d_Fr-5UYvBjwS16o3rajq+NTmg@mail.gmail.com> <CADCNZN8QYvGk5zuGDVO+ugyz5d20OhaCFuCcRQi5VEN3OTaP4A@mail.gmail.com>
In-Reply-To: <CADCNZN8QYvGk5zuGDVO+ugyz5d20OhaCFuCcRQi5VEN3OTaP4A@mail.gmail.com>
From: Guilherme Kun <guilhermek@sgsistemas.com.br>
Date: Tue, 22 Sep 2020 09:22:18 -0300
Message-ID: <CAPhsynZPE8Ria3fE=_Fk+VCcFTJw73J3xZ+x1_cJh1BJF6nGQA@mail.gmail.com>
To: Deepak Tiwari <deepak.tiwari@intigate.in>
Cc: Logan Widick <logan.widick@gmail.com>, Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008dad7505afe60523"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FLTAL4SwfEyIjVEkZ-RUZ9izWJI>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 question
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 12:22:38 -0000
Please remove my email from the conversation Em ter., 22 de set. de 2020 às 03:25, Deepak Tiwari < deepak.tiwari@intigate.in> escreveu: > Please remove my email from the conversation > > On Tue, Sep 22, 2020 at 7:39 AM Logan Widick <logan.widick@gmail.com> > wrote: > >> If I understand "The intent would be to present that information in the >> same way you would when querying a users/<id>, encoded in claims" correctly, >> the "roles", "groups", and "entitlements" claims are the same types as the >> "roles", "groups", and "entitlements" attributes of the User resource >> schema (pages 24-25 of RFC 7643 for the text; pages 63-67 of RFC 7643 for >> the schema)? In the schema the attributes are all "complex" (object) type >> and "multivalued" (array of), although the text for some of these >> attributes has some "No vocabulary or syntax..." remarks. >> >> If that understanding is correct, it might be a good idea to replace the >> references to "RFC 7643", "Section 4.1.2 of RFC 7643", and "RFC 7643, >> Section 4.1.2" with something more specific like "the ____ attribute(s) of >> the User resource schema from Section 4.1.2 of RFC 7643". >> >> On Mon, Sep 21, 2020, 15:33 Brian Campbell <bcampbell@pingidentity.com> >> wrote: >> >>> At some point I'm going to be among the lucky few who will be asked to >>> review the JWT claims registration request. One of the criteria to consider >>> is "whether the registration description is clear" and Logan's questions >>> suggest that perhaps the descriptions of these claims are not sufficiently >>> clear. My assumption was that the claim value for "roles", "groups" and >>> "entitlements" was going to be an array of strings. Trying to validate my >>> assumption, I went looking at the text in >>> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-09#section-2.2.3.1 >>> and >>> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-09#section-7.2 >>> and followed the reference to >>> https://tools.ietf.org/html/rfc7643#section-4.1.2 and, honestly, it >>> wasn't particularly clear to me. Maybe it's my lack of familiarity with the >>> details of SCIM and the language of RFC 7643. But I think that, for the >>> sake of clarity and interoperability, some additional specificity is >>> needed. >>> >>> Side note: the "Section 2.2.2.1 of [[this specification]]" references in >>> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-09#section-7.2.1 >>> are problmatic (there is no such section in this document) and probably >>> should be to 2.2.3.1. >>> >>> On Fri, Sep 18, 2020 at 6:28 PM Vittorio Bertocci <vittorio.bertocci= >>> 40auth0.com@dmarc.ietf.org> wrote: >>> >>>> Hi Logan, >>>> >>>> Thanks for the note. >>>> >>>> The intent would be to present that information in the same way you >>>> would when querying a users/<id>, encoded in claims; hence groups would be >>>> a list of values representing what groups the subject belongs to, rather >>>> than a list of full group definitions (with all the other members belonging >>>> to them, for example) which would go beyond the intended use of the >>>> information (supplying authorization information about the subject). >>>> >>>> I tried to keep the language high level as I didn’t want to duplicate >>>> SCIM guidance, or inadvertently narrow down the options products have to >>>> implement this. If you think this is too vague, we can try to be more >>>> specific. >>>> >>>> >>>> >>>> *From: *OAuth <oauth-bounces@ietf.org> on behalf of Logan Widick < >>>> logan.widick@gmail.com> >>>> *Date: *Wednesday, September 16, 2020 at 14:21 >>>> *To: *"oauth@ietf.org" <oauth@ietf.org> >>>> *Subject: *[OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 question >>>> >>>> >>>> >>>> I took a look at Section 2.2.3.1: Claims for Authorization Outside of >>>> Delegation Scenarios ( >>>> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-08#section-2.2.3.1) >>>> and I do not understand what exactly the formats of the "roles", "groups", >>>> and "entitlements" claims will be. >>>> >>>> Will the "roles" claim be an array of strings (role names, IDs, or >>>> links), an array of the "roles" objects from the SCIM User schema (pages >>>> 66-67 of RFC 7643), or something else? >>>> >>>> Will the "groups" claim be an array of strings (group names, IDs, or >>>> links), an array of the "groups" objects from the SCIM User schema (pages >>>> 63-64 of RFC 7643), an array of SCIM Group schema objects (pages 69-70 of >>>> RFC 7643), or something else? >>>> >>>> Will the "entitlements" claim be an array of strings (entitlement >>>> names, IDs, or links), an array of the "entitlements" objects from the SCIM >>>> User schema (pages 65-66 of RFC 7643), or something else? >>>> >>>> Sincerely, >>>> >>>> Logan Widick >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly prohibited. >>> If you have received this communication in error, please notify the sender >>> immediately by e-mail and delete the message and any file attachments from >>> your computer. Thank you.* >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > -- > > Regards, > > *Deepak Tiwari|* Software Engineer > Intigate Technologies Pvt. Ltd. | www.intigate.co.in > Ist Floor, A-119 > Sector-63 > Noida (U.P.) 201301 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Att. Guilherme Ap. Sona Kun - Desenvolvimento
- [OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 q… Logan Widick
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Logan Widick
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Deepak Tiwari
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Guilherme Kun
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Vittorio Bertocci