[OAUTH-WG] OAuth 2.0 Access Token JWT Profile. Section 4: Validating JWT Access Tokens
Denis <denis.ietf@free.fr> Tue, 27 October 2020 14:06 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F37A93A0ACB for <oauth@ietfa.amsl.com>; Tue, 27 Oct 2020 07:06:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.377
X-Spam-Level:
X-Spam-Status: No, score=0.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.275, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, SPOOFED_FREEMAIL=1.999] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bmZ182ZsIURq for <oauth@ietfa.amsl.com>; Tue, 27 Oct 2020 07:06:08 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp07.smtpout.orange.fr [80.12.242.129]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CE5A3A09EF for <oauth@ietf.org>; Tue, 27 Oct 2020 07:06:08 -0700 (PDT)
Received: from [192.168.1.11] ([90.91.133.250]) by mwinf5d87 with ME id l2662300X5QJY7u03266zV; Tue, 27 Oct 2020 15:06:06 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 27 Oct 2020 15:06:06 +0100
X-ME-IP: 90.91.133.250
To: oauth <oauth@ietf.org>
From: Denis <denis.ietf@free.fr>
Message-ID: <7921d02c-aba9-7e4d-692b-fa381a6bf680@free.fr>
Date: Tue, 27 Oct 2020 15:06:07 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------FC58D1613E1920001E6BFA7A"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Fyx_4cuakhPp70SD7ITvY62xerw>
Subject: [OAUTH-WG] OAuth 2.0 Access Token JWT Profile. Section 4: Validating JWT Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 14:06:10 -0000
I create a new thread to discuss the end of my email from yesterday which has been deleted from the thread called " BCP: Client collaborative attacks": *Comment on section 4: "Validating JWT Access Tokens" * The JWT profile for OAuth 2.0 access tokens [draft-ietf-oauth-access-token-jwt] mandates to include a "sub" claim into an access token. However, this section does not mandate the RS to verify that claims allowing for the RS to uniquely identify the holder of the access token are indeed be present inside an access token. It might be useful to add it, so that the above text can refer to it. Denis