Re: [OAUTH-WG] JSON Web Token (JWT) Profile

Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 11 March 2014 15:02 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C5801A0479 for <oauth@ietfa.amsl.com>; Tue, 11 Mar 2014 08:02:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1V9bGmzLnZvA for <oauth@ietfa.amsl.com>; Tue, 11 Mar 2014 08:02:30 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id 132051A044B for <oauth@ietf.org>; Tue, 11 Mar 2014 08:02:30 -0700 (PDT)
Received: from [192.168.131.134] ([80.92.123.72]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MdoR7-1WX6Pe2PKn-00PcBB; Tue, 11 Mar 2014 16:02:19 +0100
Message-ID: <531F234E.90609@gmx.net>
Date: Tue, 11 Mar 2014 15:53:02 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Antonio Sanso <asanso@adobe.com>
References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com>
In-Reply-To: <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="cJrs67sA3ANt0b0BMO1Cfhep66A8kVWVF"
X-Provags-ID: V03:K0:x7LQv7y3J9LOaBA0jV9FO8uKsitzWmm6jla5xLR2vNS7xG7ZNXh /OMTY3WARCEQFvzZ/MYcQnoEChPyZsXZDjd88Tppg1hA6vPX3xHjx+ZXe9TCuigj1S7G01C sk0GLttxIX4wCoEeRlq+pDxtPTu6HyRNf/42bDHqzCbwHhHMKAFkeFsoMX6UAi7fg9h/c/w kOpQlN0UIeOX62tEfXk8A==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/G6ncr9_N4i9uwCewatcQtOKS19o
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 15:02:32 -0000

Thanks for clarifying.

I took a quick look at the Google API and it seems that in their use
case the client creates the JWT and consequently the subject and the
issue would actually be the same. I suspect that this is the reason why
they omitted the subject.

Could you explain why you would like to omit the subject claim in the JWT?

Ciao
Hannes

PS: Your feedback on the  draft-ietf-oauth-jwt-bearer-07 spec is timely
since we are about to finish all three assertion specs.


On 03/11/2014 03:56 PM, Antonio Sanso wrote:
> hi Hannes,
> 
> I am aware of the 2 documents,
> 
> I might be wrong but http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 is also about Authorization Grant Processing (this is the part I do use in my implementation ) and not only Client Authentication Processing.
> 
> Just my 0.02 $ but this seems to be a place where different implementer have the same issue :)
> 
> regards
> 
> antonio
> 
> On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
> 
>> Hi Manfred, Hi Antonio,
>>
>> Note that there are two documents that talk about the JWT and you guys
>> might be looking at the wrong document.
>>
>> The main JWT document (see
>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) defines
>> the subject claim as optional (see Section 4.1.2).
>>
>> The JWT bearer assertion document (see
>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does indeed
>> define it as mandatory but that's intentional since the purpose of the
>> spec is to authenticate the client (or the resource owner for an
>> authorization grant).
>>
>> The assertion documents are used for interworking with "legacy" identity
>> infrastructure (such as SAML federations).
>>
>> So, are you sure you are indeed looking at the right document?
>>
>> Ciao
>> Hannes
>>
>>
>> On 03/11/2014 03:13 PM, Antonio Sanso wrote:
>>> hi *,
>>>
>>> JSON Web Token (JWT) Profile section 3 [0] explicitely says 
>>>
>>> The JWT MUST contain a "sub" (subject) claim 
>>>
>>>
>>> Now IMHO there are cases where having the sub is either not needed or
>>> redundant (since it might overlap with the issuer).\
>>>
>>> As far as I can see “even Google” currently violates this spec [1] ( I
>>> know that this doesn’t matter, just wanted to bring a real use case
>>> scenario).
>>>
>>> WDYT might the “sub” be optional in some situation?
>>>
>>> regards
>>>
>>> antonio 
>>>
>>> [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3
>>> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>