IETF Logo Mail Archive

Re: [OAUTH-WG] JWT - scope claim missing

Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> Thu, 28 February 2013 17:57 UTC

Return-Path: <Adam.Lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 667D321F8C2A for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 09:57:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.466
X-Spam-Level:
X-Spam-Status: No, score=-0.466 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VnlauyydH5J9 for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 09:57:53 -0800 (PST)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe003.messaging.microsoft.com [216.32.180.13]) by ietfa.amsl.com (Postfix) with ESMTP id 47C7C21F8835 for <oauth@ietf.org>; Thu, 28 Feb 2013 09:57:53 -0800 (PST)
Received: from mail100-va3-R.bigfish.com (10.7.14.238) by VA3EHSOBE012.bigfish.com (10.7.40.62) with Microsoft SMTP Server id 14.1.225.23; Thu, 28 Feb 2013 17:57:52 +0000
Received: from mail100-va3 (localhost [127.0.0.1]) by mail100-va3-R.bigfish.com (Postfix) with ESMTP id 7F6631A0281 for <oauth@ietf.org>; Thu, 28 Feb 2013 17:57:52 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:192.160.210.20; KIP:(null); UIP:(null); IPV:NLI; H:ct11msg01.am.mot-solutions.com; RD:ct11msg01.mot-solutions.com; EFVD:NLI
X-SpamScore: -25
X-BigFish: VPS-25(zz98dI9371I936eIc85fhc430I1432Izz1f42h1ee6h1de0h1202h1e76h1d1ah1d2ahzz8275ch1033IL177df4h17326ah8275dh18c673h8275bhz2fh2a8h683h839hd25hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1155h)
Received-SPF: pass (mail100-va3: domain of motorolasolutions.com designates 192.160.210.20 as permitted sender) client-ip=192.160.210.20; envelope-from=Adam.Lewis@motorolasolutions.com; helo=ct11msg01.am.mot-solutions.com ; olutions.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.237.133; KIP:(null); UIP:(null); (null); H:BY2PRD0411HT003.namprd04.prod.outlook.com; R:internal; EFV:INT
Received: from mail100-va3 (localhost.localdomain [127.0.0.1]) by mail100-va3 (MessageSwitch) id 1362074268614835_24100; Thu, 28 Feb 2013 17:57:48 +0000 (UTC)
Received: from VA3EHSMHS017.bigfish.com (unknown [10.7.14.229]) by mail100-va3.bigfish.com (Postfix) with ESMTP id 7729D260066 for <oauth@ietf.org>; Thu, 28 Feb 2013 17:57:48 +0000 (UTC)
Received: from ct11msg01.am.mot-solutions.com (192.160.210.20) by VA3EHSMHS017.bigfish.com (10.7.99.27) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 28 Feb 2013 17:57:47 +0000
Received: from ct11msg01.am.mot-solutions.com (ct11vts03.am.mot.com [10.177.16.162]) by ct11msg01.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id r1SILtmf003500 for <oauth@ietf.org>; Thu, 28 Feb 2013 12:21:55 -0600 (CST)
Received: from CO9EHSOBE020.bigfish.com (co9ehsobe002.messaging.microsoft.com [207.46.163.25]) by ct11msg01.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id r1SILs05003492 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Thu, 28 Feb 2013 12:21:55 -0600 (CST)
Received: from mail143-co9-R.bigfish.com (10.236.132.254) by CO9EHSOBE020.bigfish.com (10.236.130.83) with Microsoft SMTP Server id 14.1.225.23; Thu, 28 Feb 2013 17:57:45 +0000
Received: from mail143-co9 (localhost [127.0.0.1]) by mail143-co9-R.bigfish.com (Postfix) with ESMTP id EC7441E0240 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 28 Feb 2013 17:57:44 +0000 (UTC)
Received: from mail143-co9 (localhost.localdomain [127.0.0.1]) by mail143-co9 (MessageSwitch) id 1362074263216252_3227; Thu, 28 Feb 2013 17:57:43 +0000 (UTC)
Received: from CO9EHSMHS027.bigfish.com (unknown [10.236.132.245]) by mail143-co9.bigfish.com (Postfix) with ESMTP id 311AB400D6; Thu, 28 Feb 2013 17:57:43 +0000 (UTC)
Received: from BY2PRD0411HT003.namprd04.prod.outlook.com (157.56.237.133) by CO9EHSMHS027.bigfish.com (10.236.130.37) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 28 Feb 2013 17:57:40 +0000
Received: from BY2PRD0411MB441.namprd04.prod.outlook.com ([169.254.5.225]) by BY2PRD0411HT003.namprd04.prod.outlook.com ([10.255.128.38]) with mapi id 14.16.0263.000; Thu, 28 Feb 2013 17:57:40 +0000
From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] JWT - scope claim missing
Thread-Index: AQHOFZ6Qe5ExGqoPnkOeJlU0r70rz5iPcwoAgAAB5gCAAAWJgIAADAUAgAAB+4CAAAU18IAAATlA
Date: Thu, 28 Feb 2013 17:57:40 +0000
Message-ID: <59E470B10C4630419ED717AC79FCF9A948D58AFA@BY2PRD0411MB441.namprd04.prod.outlook.com>
References: <0EC2404F-E3C5-4AD1-88B4-E74AA0394DD9@gmx.net> <C75E4871-E907-4EF7-BAF0-9D1A172D581B@ve7jtb.com> <CA6A6425-D0CE-469F-B51E-9F296DA8041C@oracle.com> <CA+k3eCREgN+6z+U=jjJcPo0nZVR0GWn5zXeecZRO+rg=xd-gZg@mail.gmail.com> <39016EC6-D3E3-4812-9825-B1C95A5D9AED@oracle.com> <637841B2-C50C-444D-960F-CABB0CEC889D@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [184.78.105.93]
Content-Type: multipart/alternative; boundary="_000_59E470B10C4630419ED717AC79FCF9A948D58AFABY2PRD0411MB441_"
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%VE7JTB.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%ORACLE.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-CFilter-Loop: Reflected
X-OriginatorOrg: motorolasolutions.com
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT - scope claim missing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2013 17:57:56 -0000

Adding my 2 cents ...

I am looking to use JWT as the structure for my access tokens, and will likely profile it to look just like an id_token, plus the scope claim which triggered this thread :-)

I am also looking at JWT as a grant type.

I am also looking into federating my access tokens (one of the main reasons I am looking to use JWT as the structure for the AT).

All is subject to change, but that is where my head is today.

adam

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
Sent: Thursday, February 28, 2013 11:34 AM
To: Phil Hunt
Cc: "WG <oauth@ietf.org>"@il06exr02.mot.com
Subject: Re: [OAUTH-WG] JWT - scope claim missing

Yes IETF WG politics:)

Should JWT and JOSE  be together ?  Through a number of twists and turns they are not, lets not go there.

But to the point a number of us have made JWT is used in OAuth for more than access tokens.
Currently it's only use in OAuth is in the JWT assertions profile that has nothing to do with access tokens.

John B.

On 2013-02-28, at 9:27 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:

Am I missing something. JWT is firstly an oauth spec. Otherwise why isnt it in jose wg?

Phil

Sent from my phone.

On 2013-02-28, at 8:44, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:
I think John's point was more that scope is something rather specific to an OAuth access token and, while JWT is can be used to represent an access token, it's not the only application of JWT. The 'standard' claims in JWT are those that are believed (right or wrong) to be widely applicable across different applications of JWT. One could argue about it but scope is probably not one of those.
It would probably make sense to try and build a profile of JWT specifically for OAuth access tokens (though I suspect there are some turtles and dragons in there), which might be the appropriate place to define/register a scope claim.

On Thu, Feb 28, 2013 at 9:24 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:
Are you advocating TWO systems? That seems like a bad choice.

I would rather fix scope than go to a two system approach.

Phil

Sent from my phone.

On 2013-02-28, at 8:17, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote:

> While scope is one method that a AS could communicate authorization to a RS, it is not the only or perhaps even the most likely one.
> Using scope requires a relatively tight binding between the RS and AS,  UMA uses a different mechanism that describes finer grained operations.
> The AS may include roles, user, or other more abstract claims that the the client may (god help them) pass on to EXCML for processing.
>
> While having a scopes claim is possible, like any other claim it is not part of the JWT core security processing claims, and needs to be defined by extension.
>
> John B.
> On 2013-02-28, at 2:29 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>> wrote:
>
>> Hi Mike,
>>
>> when I worked on the MAC specification I noticed that the JWT does not have a claim for the scope. I believe that this would be needed to allow the resource server to verify whether the scope the authorization server authorized is indeed what the client is asking for.
>>
>> Ciao
>> Hannes
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org<mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email