[OAUTH-WG] OAuth 2.0 Access Token JWT Profile. Section 4: Validating JWT Access Tokens

Denis <denis.ietf@free.fr> Tue, 27 October 2020 14:06 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id F37A93A0ACB for <oauth@ietfa.amsl.com>; Tue, 27 Oct 2020 07:06:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.377
X-Spam-Status: No, score=0.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.275, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, SPOOFED_FREEMAIL=1.999] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id bmZ182ZsIURq for <oauth@ietfa.amsl.com>; Tue, 27 Oct 2020 07:06:08 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp07.smtpout.orange.fr []) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CE5A3A09EF for <oauth@ietf.org>; Tue, 27 Oct 2020 07:06:08 -0700 (PDT)
Received: from [] ([]) by mwinf5d87 with ME id l2662300X5QJY7u03266zV; Tue, 27 Oct 2020 15:06:06 +0100
X-ME-Helo: []
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 27 Oct 2020 15:06:06 +0100
To: oauth <oauth@ietf.org>
From: Denis <denis.ietf@free.fr>
Message-ID: <7921d02c-aba9-7e4d-692b-fa381a6bf680@free.fr>
Date: Tue, 27 Oct 2020 15:06:07 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------FC58D1613E1920001E6BFA7A"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Fyx_4cuakhPp70SD7ITvY62xerw>
Subject: [OAUTH-WG] OAuth 2.0 Access Token JWT Profile. Section 4: Validating JWT Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 14:06:10 -0000

I create a new thread to discuss the end of my email from yesterday 
which has been deleted from the thread called " BCP: Client 
collaborative attacks":

    *Comment on section 4: "Validating JWT Access Tokens"
    The JWT profile for OAuth 2.0 access tokens
    [draft-ietf-oauth-access-token-jwt] mandates to include a "sub"
    claim into an access token.
    However, this section does not mandate the RS to verify that claims
    allowing for the RS to uniquely identify the holder of the access token
    are indeed be present inside an access token.

    It might be useful to add it, so that the above text can refer to it.