Re: [OAUTH-WG] JSON Web Token (JWT) Profile
"Manfred Steyer" <manfred.steyer@gmx.net> Tue, 11 March 2014 14:27 UTC
Return-Path: <manfred.steyer@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1F551A0738 for <oauth@ietfa.amsl.com>; Tue, 11 Mar 2014 07:27:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.446
X-Spam-Level:
X-Spam-Status: No, score=-2.446 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EHAYfCqaDE_u for <oauth@ietfa.amsl.com>; Tue, 11 Mar 2014 07:27:04 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id C9A801A0736 for <oauth@ietf.org>; Tue, 11 Mar 2014 07:27:02 -0700 (PDT)
Received: from IWINB07 ([81.189.215.250]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MFLhE-1WQh1X2bVk-00EQ3o for <oauth@ietf.org>; Tue, 11 Mar 2014 15:26:55 +0100
From: Manfred Steyer <manfred.steyer@gmx.net>
To: oauth@ietf.org
References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com>
In-Reply-To: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com>
Date: Tue, 11 Mar 2014 15:26:54 +0100
Message-ID: <009501cf3d35$f4257410$dc705c30$@gmx.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0096_01CF3D3E.55EF3340"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQMQvuGC6nCHESWBhgEiO0rGzvkC2phY7aIw
Content-Language: de
X-Provags-ID: V03:K0:VZNqDmovIAaVmxgdj1Q6O4AOTPBd+JAFkkqJxcJunhjC70WtbLw /SdAZn+EqTVN3Toa/A/Mqgb1j1dUCMU0zm1OnQiX+vpE1h+oWuhQezYIWPbiO26s3wgGiJF 9euq46F4rJ6cUuZzAkohyEpw0NAWJbG8ox3tu78pzGlCwKlbfmLS0RJsUVqYP9Rien6UUol JrwV3lP/RiuxWXpz1ZEZQ==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/JSoVXvme6Yj9fSFfypkD_1GRo2o
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 14:27:08 -0000
Hi Antonio, some time ago, I wrote about the same issue, but unfortunately didnt get an answer. I place my thoughts about this at the end of this mail. Wishes, Manfred 8<------------------------------- Hi, the draft about the JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants [1] says: The JWT MUST contain a "sub" (subject) claim identifying theprincipal that is the subject of the JWT. Two cases need to be differentiated: A. For the authorization grant, the subject SHOULD identify an authorized accessor for whom the access token is being requested (typically the resource owner, or an authorized delegate). B. For client authentication, the subject MUST be the "client_id" of the OAuth client. Im not sure, if this makes sense, cause in an federation-scenario the original jwt is issued in an other security-domain and the auth-server in question does not necessarily know the users in thouse domain. Furthermore, it is very likely that the auth-server is not interested in the subject claim, but just in other incoming claims in view of mapping them to outgoing ones. IMHO, all the auth-server can do with the subject-claim is to create a protocol entry that says that some action was performed for this subject. Do I see that right? Wishes, Manfred [1] https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 Von: OAuth [mailto:oauth-bounces@ietf.org] Im Auftrag von Antonio Sanso Gesendet: Dienstag, 11. März 2014 15:14 An: oauth@ietf.org Betreff: [OAUTH-WG] JSON Web Token (JWT) Profile hi *, JSON Web Token (JWT) Profile section 3 [0] explicitely says The JWT MUST contain a "sub" (subject) claim Now IMHO there are cases where having the sub is either not needed or redundant (since it might overlap with the issuer).\ As far as I can see even Google currently violates this spec [1] ( I know that this doesnt matter, just wanted to bring a real use case scenario). WDYT might the sub be optional in some situation? regards antonio [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3 [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount
- [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Manfred Steyer
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Hannes Tschofenig
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Hannes Tschofenig
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Hannes Tschofenig
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile John Bradley
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile John Bradley
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Manfred Steyer
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile John Bradley
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Phil Hunt
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Nat Sakimura
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Manfred Steyer
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile Antonio Sanso