IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for draft-ietf-oauth-token-exchange-08

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Mon, 26 June 2017 12:40 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61C9B129B4D for <oauth@ietfa.amsl.com>; Mon, 26 Jun 2017 05:40:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ImKjLyQWjo4x for <oauth@ietfa.amsl.com>; Mon, 26 Jun 2017 05:40:41 -0700 (PDT)
Received: from mail-ua0-x229.google.com (mail-ua0-x229.google.com [IPv6:2607:f8b0:400c:c08::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BC01129B4C for <oauth@ietf.org>; Mon, 26 Jun 2017 05:40:41 -0700 (PDT)
Received: by mail-ua0-x229.google.com with SMTP id j53so61701uaa.2 for <oauth@ietf.org>; Mon, 26 Jun 2017 05:40:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=KH1iX/zdm+7LyHzsirvxBb3At1KMAPnGEC3bVDfQRt4=; b=AEFryp4u6qSCPzCV0cq5qg2+QPVoz2VFKjZGf6hSYxGg1HE8FgxyXKcriJdRZXFwhM FjLmxtdzQtCSZML4t7ED52vkupu6vSzSmb1dGGdjt6C0pQuQAokzhV0SWnIJUoDNGq/d sXE3EcFclBeIVAUkhUKvZ2mq1Z0FwvpZxnT/LIT5LHyW67EhQueLpICN6gjRA7tFdzQy SfMwKUOcdXDJ5vRrEvTSTToEDQjneuTM7F4xFLHlfOsqw03Thyiq96OLrLPggOuTXD9I M9af5J7lEwiq/sPhzu9IC/MNqGEGk2D26EUTcfx/WWzMEm1v5bBdvtjBwUtSytoPhZ18 qNXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=KH1iX/zdm+7LyHzsirvxBb3At1KMAPnGEC3bVDfQRt4=; b=GCd5CTG2YkEs6fCBc47GWVeBAyA8p7FBr5tAt++1ysG3CUakxv16i62xksyy4RyznF OXOAjc0DZ2VRMZr9oD/guxpD/BX/IjY5jR0HXStMjd2iYtsibi8VSBCEti4/Xp39jEad 379Kqryp6Jc/BzV8Er7auDFsls8RBe9tp+kWjWpvXb/tNl4Kpp1JDrLH7CeFixk3wqbQ LwMhWGZblv/S9Dr5RBi3FNctrT7vwHCcx2PQtYvQclP6102TioBovT33JvGON8BhXcsD 9IEedLzCPLZX/IeEp65dlmqJBvOfoFlcnotv+TXQsLtSyY0ej/hxgd9+1obcu9LXl044 ApmQ==
X-Gm-Message-State: AKS2vOxrplkKe9C6OM93F2NJvw73JwLANBYA3qJzaNZ27XHgvH75rZ9M D12WgKLPErBhpTIpD0GO3Zf/y4F7sX3n
X-Received: by 10.159.36.5 with SMTP id 5mr13367931uaq.19.1498480840369; Mon, 26 Jun 2017 05:40:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.76.29 with HTTP; Mon, 26 Jun 2017 05:40:39 -0700 (PDT)
In-Reply-To: <CAGL6ep+nx=XmHOJpKHhY6WnhWpAXF4krhQhGy2TBDTKFbyVfag@mail.gmail.com>
References: <CAGL6ep+nx=XmHOJpKHhY6WnhWpAXF4krhQhGy2TBDTKFbyVfag@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Mon, 26 Jun 2017 08:40:39 -0400
Message-ID: <CAGL6epJtT55BH43bpSKKAXdFnvgCycTMkk8jNSbMovUFEsUfCg@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a113cfb963171af0552dc4292"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/QUdORJW1lpiiTcfJ4GtjQIEaCT4>
Subject: Re: [OAUTH-WG] WGLC for draft-ietf-oauth-token-exchange-08
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jun 2017 12:40:43 -0000

Hi (as individual),

I have reviewed this version of the document and I have the following
comments/questions:


Section 2.1, page 8, last paragraph:

   "In the absence of one-time-use or other semantics specific to the
    token type, the act of performing a token exchange has no impact on
    the validity of the subject token or actor token."

Would the validity of the new issued token be impacted later on by the
validity of the subject or actor tokens?



Section 2.2.2, page 10, second paragraph:

  "If the authorization server is unwilling or unable to issue a token
   for all the target services indicated by the "resource" or "audience"
   parameters, the "invalid_target" error code MAY be used in the error
   response."

Can you please elaborate on why the above text is using "MAY" for the use
of "invalid_target" in this case?



Section 4.1, page 14, second paragraph:

  "However, claims within the "act" claim pertain only to the identity
   of the actor and are not relevant to the validity of the containing
   JWT in the same manner as the top-level claims.  Consequently, claims
   such as "exp", "nbf", and "aud" are not meaningful when used within
   an "act" claim, and therefore should not be used."

If the "exp", "nbf", and "aud" claims are not meaningful inside the "act"
claim, why is the sentence stating that it "should not be used"?
Would it not be more appropriate to state that it "must not be used"
instead?

Regards,
 Rifaat





On Fri, Jun 2, 2017 at 3:05 PM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
wrote:

> All,
>
> We are starting a WGLC on the Token Exchange document:
> https://www.ietf.org/id/draft-ietf-oauth-token-exchange-08
>
> Please, review the document and provide feedback on any issues you see
> with the document.
>
> The WGLC will end in two weeks, on June 17, 2017.
>
> Regards,
>  Rifaat and Hannes
>
>

v2.23.0 | Report a Bug | By Email