Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

Thanks for writing this up. One comment on auth_time...

    auth_time  OPTIONAL - as defined in section 2 of [OpenID.Core  <https://tools.ietf.org/html/draft-bertocci-oauth-access-token-jwt-00#ref-OpenID.Core>].
       Important: as this claim represents the time at which the end user
       authenticated, its value will remain the same for all the JWT
       access tokens issued within that session.  For example: all the
       JWT access tokens obtained with a given refresh token will all
       have the same value of auth_time, corresponding to the instant in
       which the user first authenticated to obtain the refresh token.

During a current session a user can be challenged for additional 
credentials or required to re-authenticate due to a number of different 
reasons. For example, OIDC prompt=login or max_age=NNN. In this context, 
I'd assume that the auth_time value should be updated to the latest time 
at which the user authenticated.

If we need a timestamp for when the "session" started, then there could 
be a session_start_time claim.

Thanks,
George

On 3/24/19 7:29 PM, Vittorio Bertocci wrote:
> Dear all,
> I just submitted a draft describing a JWT profile for OAuth 2.0 access 
> tokens. You can find it in 
> https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/.
> I have a slot to discuss this tomorrow at IETF 104 (I'll be presenting 
> remotely). I look forward for your comments!
>
> Here's just a bit of backstory, in case you are interested in how this 
> doc came to be. The trajectory it followed is somewhat unusual.
>
>   * Despite OAuth2 not requiring any specific format for ATs, through
>     the years I have come across multiple proprietary solution using
>     JWT for their access token. The intent and scenarios addressed by
>     those solutions are mostly the same across vendors, but the syntax
>     and interpretations in the implementations are different enough to
>     prevent developers from reusing code and skills when moving from
>     product to product.
>   * I asked several individuals from key products and services to
>     share with me concrete examples of their JWT access tokens (THANK
>     YOU Dominick Baier (IdentityServer), Brian Campbell
>     (PingIdentity), Daniel Dobalian (Microsoft), Karl Guinness (Okta)
>     for the tokens and explanations!).
>     I studied and compared all those instances, identifying
>     commonalities and differences.
>   * I put together a presentation summarizing my findings and
>     suggesting a rough interoperable profile (slides:
>     https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx
>     <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx>
>     ) - got early feedback from Filip Skokan on it. Thx Filip!
>   * The presentation was followed up by 1.5 hours of unconference
>     discussion, which was incredibly valuable to get tight-loop
>     feedback and incorporate new ideas. John Bradley, Brian Campbell
>     Vladimir Dzhuvinov, Torsten Lodderstedt, Nat Sakimura, Hannes
>     Tschofenig were all there and contributed generously to the
>     discussion. Thank you!!!
>     Note: if you were at OSW2019, participated in the discussion and
>     didn't get credited in the draft, my apologies: please send me a
>     note and I'll make things right at the next update.
>   * On my flight back I did my best to incorporate all the ideas and
>     feedback in a draft, which will be discussed at IETF104 tomorrow.
>     Rifaat, Hannes and above all Brian were all super helpful in
>     negotiating the mysterious syntax of the RFC format and submission
>     process.
>
> I was blown away by the availability, involvement and willingness to 
> invest time to get things right that everyone demonstrated in the 
> process. This is an amazing community.
> V.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth