Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

George Fletcher <gffletch@aol.com> Tue, 24 March 2020 18:47 UTC

To: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>, Takahiko Kawasaki <taka@authlete.com>
Cc: oauth <oauth@ietf.org>
References: <AM0PR08MB37160B8A021052198699CD17FAF00@AM0PR08MB3716.eurprd08.prod.outlook.com> <01ec01d6017c$162eb2e0$428c18a0$@aueb.gr> <CAHdPCmMzRn8iYG025Vq0sQNzgZTOkQJuMJwttDgjMDLESpjptw@mail.gmail.com> <CAO_FVe5UXY4Jxd3LdG6zyXJ8B8nFKYevcHQTVJEAFSdW0ku9tg@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <52f18114-4f8e-da86-5735-4c4e8f8d2db5@aol.com>
Date: Tue, 24 Mar 2020 14:47:35 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <CAO_FVe5UXY4Jxd3LdG6zyXJ8B8nFKYevcHQTVJEAFSdW0ku9tg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------476B3C00BA4A3369BEF01678"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Mq0DNhgMuVmdqknnb4KA9WiSISI>
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
Precedence: list

Focusing just on this comment...

This assumes the system uses a specific implementation of scopes values 
(e.g. 'read', 'write', 'delete'). It is very possible that in the 
context of a calendar services and an inbox service... the system 
defines scopes like 'cal-r', 'cal-w', 'mail-r', mail-w' in which there 
is no ambiguity.

On 3/24/20 2:14 PM, Vittorio Bertocci wrote:
>    I don't think the rule referring to the "scope" parameter is worth being
>> defined. That "aud" is missing but "scope" is available is enough for
>> resource servers. In other words, if "aud" is determined based on the
>> "scope", why do we have to set "aud" redundantly?
> Scope is actually not sufficient for many resource servers. Whenever an RS
> is facading a collection of existing finer grained resources, scopes
> representing permissions might be ambiguous - if my API facades both
> calendar and inbox, what does the "read" scope refer to? Having an audience
> resolves that ambiguity.

[OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile … Hannes Tschofenig
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Nikos Fotiou
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Takahiko Kawasaki
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Filip Skokan
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Nikos Fotiou
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… vittorio.bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… vittorio.bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… vittorio.bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… vittorio.bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Richard Backman, Annabelle
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Richard Backman, Annabelle
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Vittorio Bertocci
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Benjamin Kaduk
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Denis
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Denis
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Benjamin Kaduk
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Denis
Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle