Re: [OAUTH-WG] some WGLC comments on draft-ietf-oauth-jwsreq-06

Mike Jones <> Wed, 28 October 2015 23:07 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A77131B5EBF for <>; Wed, 28 Oct 2015 16:07:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ayBJ_D5Zr5vS for <>; Wed, 28 Oct 2015 16:07:40 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fc10::1:754]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 216361B5EBC for <>; Wed, 28 Oct 2015 16:07:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=lLR/9Hg5KyijyXVW2d2p/xNhTmAdGu69SwMXA9ozTVQ=; b=nqsGyaSp3jH2u1dofrh4b4kLd8dnZr2Vn3ftXCoL6Ct/73XhyXFdJWINsfNKIc1Y8vxWbAHl5tRTP+BW/lkpYZulG4R5BtSyQVuTJyibw4UCFDZqiG3gouls1tBAsGv7g1kwzA4r48YENRtuC6ESMCj0qI8CCgSMvCwfvjlp7Kk=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.306.13; Wed, 28 Oct 2015 23:07:34 +0000
Received: from ([]) by ([]) with mapi id 15.01.0306.003; Wed, 28 Oct 2015 23:07:34 +0000
From: Mike Jones <>
To: Justin Richer <>, Brian Campbell <>
Thread-Topic: [OAUTH-WG] some WGLC comments on draft-ietf-oauth-jwsreq-06
Thread-Index: AQHREQjG0uX/1xc0fEa1sZeB4X3UpZ6BeoKAgAAM+RA=
Date: Wed, 28 Oct 2015 23:07:33 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; BY2PR03MB443; 5:lfP7nRsaEMVEPNCfw21RXzBVhpo2jvevzuB0IdG3i/E2dbFf4eXS8HrvbpM407i/IqAUdB7FJvaT2MMFwtb3qLsetFfK2Ib9TZTyY6Qc2lQtn9T87ZbgtA2SlxVBVfRWwd5y6cxuy9bkS7NSfZ6eAw==; 24:ZLNT4I/LN7Z5TgsL939W9HhrCxd19mKb8jM7hGxJyH/S+8kJV/P4wZJAkf4DBbmZQHQQcUwg61I8rxxbQvHhS+Oe4c/xM5hOjyy9Kw0nyUE=; 20:/tzF1+6ePQESFXD13kt7HYIPGGjA8zKHLUkr2vIVeTCKQmUYufDoRTxSEqvAa7Jm2Wt/2cof5fn4MAuzwOqrzw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB443;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(5005006)(520078)(8121501046)(3002001)(10201501046)(102215026)(61426024)(61427024); SRVR:BY2PR03MB443; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB443;
x-forefront-prvs: 0743E8D0A6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(199003)(377454003)(52314003)(24454002)(189002)(16236675004)(54356999)(76176999)(15395725005)(189998001)(74316001)(33656002)(19617315012)(106356001)(76576001)(66066001)(230783001)(92566002)(5001770100001)(81156007)(5005710100001)(10290500002)(10400500002)(101416001)(8990500004)(102836002)(5003600100002)(97736004)(50986999)(86612001)(40100003)(87936001)(5008740100001)(122556002)(2171001)(10090500001)(105586002)(19609705001)(86362001)(2900100001)(19580395003)(2950100001)(19580405001)(5001960100002)(99286002)(5004730100002)(15975445007)(5007970100001)(106116001)(19300405004)(77096005)(5002640100001)(11100500001)(19625215002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB443;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4422A5C4671F0DB1F312919F5210BY2PR03MB442namprd_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Oct 2015 23:07:33.9135 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB443
Archived-At: <>
Cc: "<>" <>
Subject: Re: [OAUTH-WG] some WGLC comments on draft-ietf-oauth-jwsreq-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Oct 2015 23:07:46 -0000

This working draft containing the OpenID Connect Dynamic Registration errata 2 edits to date contains the registration requests that you’re referring to.  See and

                                                            -- Mike

From: OAuth [] On Behalf Of Justin Richer
Sent: Wednesday, October 28, 2015 3:16 PM
To: Brian Campbell
Cc: <>
Subject: Re: [OAUTH-WG] some WGLC comments on draft-ietf-oauth-jwsreq-06

The errata/update version of Connect’s registration spec need to register a bunch of stuff in the Dyn-Reg IANA registry, but I don’t think that’s been done yet.

 — Justin

On Oct 27, 2015, at 3:41 PM, Brian Campbell <<>> wrote:

Sakimura-san, Senior Bradley, and distinguished members of the OAUTH WG,
I re-read draft-ietf-oauth-jwsreq (-06 anyway, it'd been a while) for WGLC and, while I feel it's in pretty good shape, I did have a few comments on the draft. Those are listed below in roughly the order I came across things while reading the document.

To my eye, "oauth-jar" looks a bit awkward. I'd suggest changing the abbrev to something like
"OAuth JAR".
From the wording in Section 3<>, it is unclear whether the Request Object can be a JWE only or if a JWS is always used (with alg:none for unsigned) and is nested within a JWE when encryption but not singing is needed. To my reading there is text that suggest both cases. Which is it? I think some clarification is needed around this. Section 5.1<> doesn't help me as I'm unsure if "unsigned (plaintext) Request Object" is an out-of-date usage of the old way to refer to the "none" JWS alg or is intended to mean the straight up JSON of the request object parameters.
Also in Section 3<>, the sentence 'The Authorization Request Object MAY alternatively be sent by reference using the "request_uri" parameter.' reads a little awkward because the other alternative isn't explicit discussed anywhere nearby. Perhaps something like "The Authorization Request Object may be sent by value as described in section 4.1 or by reference as described in section 4.2."?

Also in Section 3<>, the sentence "If a required parameter is not present in neither the query parameter nor the Request Object, it forms a malformed request." made my brain hurt. Maybe reword to something like, "If a required parameter is missing from both the query parameters and the Request Object, the request is considered malformed."?

Also in Section 3<>, '... the Authorization Request Object SHOULD contain the Claims "iss" (issuer) and "aud" (audience) as members ...', however, that will produce a parameter name conflict with the "aud" parameter from OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution.<> Seems like draft-ietf-oauth-pop-key-distribution will need to change its parameter name (aud in JWT is pretty well established). And shouldn't draft-ietf-oauth-jwsreq register some of the JWT's Registered Claim Names<> (at least iss and aud but maybe exp and others) as authorization request OAuth parameters<>?

Also in Section 3<>, I personally feel like the "extension variables" detract from the example being able to easily convey the concept. I would suggest using only 'vanilla' OAuth parameters. Or, at the very least, removing the "claims" stuff, which doubles the space used by the example and is a very OpenID Connect specific thing. This applies to the examples throughout the draft including those that have the encoded JWT Request Object.
In Section 4<>, the whole "The client constructs the authorization request URI by ..." followed by the list of parameters is somewhat awkward to me - especially with the "REQUIRED"s. Why list "state" here and none of the others here? I think I know why (you expect state to vary on each request but not others) but a lot of inferring needs to happen from the reader.  For the extension defined in this document, one uses either request_uri or request (but not both, right? I'm not sure it's explicitly stated anywhere) and whatever other parameters are needed in the given situation. Maybe just some text towards that end rather than the list format?
Also in Section 4<>, the request_uri in the example is a lot like the URI that's used for redirect_uri in a lot of places (the /cb path, I think, was intended to short for callback). I mean, it *could* happen but the example is more confusing than needs to be. It's also too long/wide for the page - add some line breaks, which are for display purposes only. Perhaps move this example to 4.2(.1) somewhere and match the value with the value shown there?

Also in Section 4<>, the sentence that starts with 'When the "request" parameter is used...' suggests that the text about JWT parameters superseding others is only applicable to the pass by value method but it applies to both. Perhaps change '"request" parameter' to 'Request Object'?
The second paragraph of Section 4.2.1<> talks about "requested values for Claims" which is an OpenID Connect thing that isn't really applicable to this draft. Can this paragraph be dropped or made more general to be about any potentially sensitive or PII data?
Also in Section 4.2.1<>, is "... at a URL the Server can access... " - assume the "Authorization Sever"?
Isn't it a bit odd in Section 5.2<> to talk about the "request_object_signing_alg" which is defined in OpenID Connect Dynamic Client Registration<> (which is not referenced) and kinda mentioned in OpenID Connect Core<> (informative referenced)? I don't know that it belongs here? Or if it does, what about request_object_encryption_alg and request_object_encryption_enc? I suppose related to that is the question of if/how to use the client_secret for HMAC and symmetric encryption algorithms and if that needs to be discussed here? Indicating public key(s) too for that matter. Seems like all the metadata/registration stuff should be in here. Or it should all be out of scope. But just the request_object_signing_alg seems odd to me.
Section 6<> says that "... this document defines additional error values ..." but those were previously defined in of OpenID Connect Core<>. Maybe just change the wording to reflect the real state of things?

Section 7<> says that "The request_object_signing_alg OAuth Dynamic Client Registration Metadata is pending registration by OpenID Connect Dynamic Registration specification." But is that true? The registry<> doesn't have it and Connect's Registration<> "makes no requests of IANA".
As I'm sure reading this has been a ton of fun for the editors, I'm sure you will be happy to please add me to the Acknowledgements Section<> ;)

OAuth mailing list<>