Re: [OAUTH-WG] "cid" claim in JWT
Nat Sakimura <sakimura@gmail.com> Thu, 20 December 2012 05:38 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1B0921F8480 for <oauth@ietfa.amsl.com>; Wed, 19 Dec 2012 21:38:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.108
X-Spam-Level:
X-Spam-Status: No, score=-3.108 tagged_above=-999 required=5 tests=[AWL=0.490, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gf9Tr++dugkz for <oauth@ietfa.amsl.com>; Wed, 19 Dec 2012 21:38:53 -0800 (PST)
Received: from mail-ea0-f179.google.com (mail-ea0-f179.google.com [209.85.215.179]) by ietfa.amsl.com (Postfix) with ESMTP id 2E69921F8479 for <oauth@ietf.org>; Wed, 19 Dec 2012 21:38:52 -0800 (PST)
Received: by mail-ea0-f179.google.com with SMTP id i12so1130969eaa.10 for <oauth@ietf.org>; Wed, 19 Dec 2012 21:38:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7a7MzXsNVLxWEJopL7N9EFm99BZhcImgCiPbOGv39XE=; b=h5ETh+E9rSWb1ag+aT6aY4/itdr9TTbvNGDgnSY4bLqjMBlPxgyxWmdRkdyGtYGh5i 5u92GkCcE0aCaRyacem5epPmn5bgM4d9IsW+KpeTevrru8+AftxQ7fts9IOPB3tB6Ybv pVUZx9G0w6o0xhMi3No6BizgZ70fWPG21WrjLkb3AAnMoGB/DDF8ThxrvCBhtfs4KLSk LQ+hpenWJpV5F+nhtL2pL2ydIm4960bSB3eL4HXPPCq4lWdX1v14gPiyqtNfAsLect5M 0jU75bdfYCddPWEiQRXoibaom4I7inPFf576HjzDbwgDfZ7CRNxIvdHZ7WaPM3blnEeI h/Ag==
MIME-Version: 1.0
Received: by 10.14.206.197 with SMTP id l45mr20477985eeo.17.1355981931197; Wed, 19 Dec 2012 21:38:51 -0800 (PST)
Received: by 10.14.215.66 with HTTP; Wed, 19 Dec 2012 21:38:51 -0800 (PST)
In-Reply-To: <7C676625-BB10-485E-80C8-2205CCDF38E2@ve7jtb.com>
References: <CABzCy2CwBr0wgJRamwpQy7gxpzK0=RuanPxOaBCPXK7Jwk6dfw@mail.gmail.com> <31476ed163f348a1a1a80e57ee75c1ce@BY2PR03MB041.namprd03.prod.outlook.com> <7C676625-BB10-485E-80C8-2205CCDF38E2@ve7jtb.com>
Date: Thu, 20 Dec 2012 14:38:51 +0900
Message-ID: <CABzCy2BjzUqSEvgKHGGvs3WLuDE=njWLstjTsNuv7foOvOPXPA@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="047d7b34413c54b59104d14225e3"
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] "cid" claim in JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2012 05:38:55 -0000
On Thu, Dec 20, 2012 at 11:25 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > I agree, audience who requested it and and who it is requested for are all > interrelated. > Bringing in such application or protocol specific semantics to the level of JWT does not seem to be a good idea to me. What I am proposing is just the claim that identifies who is the eligible user of the token. It is independent of request or where it can be used. It is an abstract notion which application protocols can utilize. > > However we do need to set down some standard way of expressing it as > people are starting to make stuff up on their own that will impact > interoperability. > > If Google starts thawing in cid and clients don't know about it they must > reject the JWT etc. > > John > > On 2012-12-19, at 9:40 PM, Anthony Nadalin <tonynad@microsoft.com> wrote: > > It seems premature and we should consider this in the bigger context of > the “on behalf of”/delegation work that has been started**** > > *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf > Of *Nat Sakimura > *Sent:* Tuesday, December 18, 2012 6:22 PM > *To:* oauth > *Subject:* [OAUTH-WG] "cid" claim in JWT**** > ** ** > In OpenID Connect WG, we have been talking this for sometime. **** > "cid" claim identifies the entity that the JWT was issued to as a > rightful/licensed user. **** > Google already uses this in their implementation of id_token of OIDC. **** > ** ** > Here is the text proposal. It introduces two new standard claims: "cid" > and "cit". **** > ** ** > It would be very useful in creating a HoK drafts as well. **** > > Cheers, **** > > Nat**** > > > > > *4.1.9. "cid" Client Identification Data Claim***** > > > > The "cid" (client identification data) claim allows the receiver **** > > of the JWT to identify the entity that the JWT is **** > > intended to be used by. The audience of the JWT MUST be **** > > able to identify the client with the value of this claim.**** > > > > The "cid" value is a case sensitive string containing a StringOrURI value.**** > > This claim is OPTIONAL. If the entity processing the claim does not **** > > identify the user of the JWT with the identifier in the "cid" claim value, **** > > then the JWT MUST be rejected. The interpretation of the registered to **** > > value is generally application specific.**** > > > > A typical example of a registered to claim includes following: **** > > * client_id that the audience can use to authenticate and **** > > identify the client.**** > > * A base64url encoded JWK. **** > > * A URL that points to the key material that the audience can use to **** > > authenticate the user of the JWT.**** > > > > *4.1.10 "cit" (Client Identification Data claim type)***** > > > > The "cit" (Client Identification Data claim type) identifies the type **** > > of the "cid" claim. It is a StringOrURI value. The defined values **** > > are the following:**** > > > > "client_id" The value of the "cid" claim is the Client ID of the client **** > > that the audience of the JWT is able to use to authenticate the client.**** > > > > "jwk" The value of the "cid" claim is a base64url encoded JWK of **** > > the registered client.**** > > > > "jku" The value of the "cid" claim is the "jku" defined in 4.1.2 of **** > > JSON web signature [JWS].**** > > > > "x5u" The value of the "cid" claim is the URL that points to the public **** > > key certificate of the registered client. The format of the content **** > > that x5u points to is described in section 4.1.4 of the JSON Web Signature.**** > > ** ** > -- > Nat Sakimura (=nat)**** > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en**** > ** ** > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
- [OAUTH-WG] "cid" claim in JWT Nat Sakimura
- Re: [OAUTH-WG] "cid" claim in JWT Anthony Nadalin
- Re: [OAUTH-WG] "cid" claim in JWT John Bradley
- Re: [OAUTH-WG] "cid" claim in JWT Mike Jones
- Re: [OAUTH-WG] "cid" claim in JWT Nat Sakimura
- Re: [OAUTH-WG] "cid" claim in JWT Nat Sakimura
- Re: [OAUTH-WG] "cid" claim in JWT Mike Jones
- Re: [OAUTH-WG] "cid" claim in JWT Nat Sakimura
- Re: [OAUTH-WG] "cid" claim in JWT Mike Jones
- Re: [OAUTH-WG] "cid" claim in JWT Anthony Nadalin
- Re: [OAUTH-WG] "cid" claim in JWT Nat Sakimura
- Re: [OAUTH-WG] "cid" claim in JWT Justin Richer
- Re: [OAUTH-WG] "cid" claim in JWT Nat Sakimura
- Re: [OAUTH-WG] "cid" claim in JWT Mike Jones