IETF Logo Mail Archive

Re: [OAUTH-WG] JWT - scope claim missing

John Bradley <ve7jtb@ve7jtb.com> Thu, 28 February 2013 17:40 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 353BD21F8A55 for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 09:40:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.423
X-Spam-Level:
X-Spam-Status: No, score=-3.423 tagged_above=-999 required=5 tests=[AWL=0.175, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bAEmA9bB2wyB for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 09:40:32 -0800 (PST)
Received: from mail-pb0-f41.google.com (mail-pb0-f41.google.com [209.85.160.41]) by ietfa.amsl.com (Postfix) with ESMTP id 3CED721F88A9 for <oauth@ietf.org>; Thu, 28 Feb 2013 09:40:32 -0800 (PST)
Received: by mail-pb0-f41.google.com with SMTP id um15so1211082pbc.0 for <oauth@ietf.org>; Thu, 28 Feb 2013 09:40:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=ZAXMql53Ww9syxB6ysT35ZIFGEqNw2PMercy5UXoK5Y=; b=ExRc7KpaCJTlyDwNBvMRA/5xIvbyAfQzGY/+Oevjn1heJPBhXD4TB+I/FJ+tBoIO7B 3wqf5X9dEz56lCdER+XPclTrQrgJ/isFIjpEoHQbBTz3nAZdTG7UYtNWHa5XU6a5n2+R Qh1lqp5MWlq3GjXK82gFC9LaX7SiIEzjP5HzFVWEHn3s6AWYC24EB5by4MlljqgHFhNi TGFkErQRbTW61ezghLSMPWO3FUJrRb9reFiN0weB4FYZ61nkmn8noyReFo9fDZY0PZ1e jXFRtXwEahRSamMuJq8i0PxbMk2NRO4ga3B3KVOknMc1UiITfprmswq9sGRkXh0+QhSI JlpQ==
X-Received: by 10.68.201.227 with SMTP id kd3mr10179371pbc.65.1362073231953; Thu, 28 Feb 2013 09:40:31 -0800 (PST)
Received: from [192.168.41.99] (ip-64-134-220-138.public.wayport.net. [64.134.220.138]) by mx.google.com with ESMTPS id ww9sm9000888pbc.41.2013.02.28.09.40.28 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 28 Feb 2013 09:40:30 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_4748AC50-AF64-4040-8475-53ACC1A9C937"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <48FD87D1-4DF4-4289-99B7-40A515F31890@oracle.com>
Date: Thu, 28 Feb 2013 09:40:26 -0800
Message-Id: <3E472720-31A4-40A0-AAA4-402CF850831A@ve7jtb.com>
References: <0EC2404F-E3C5-4AD1-88B4-E74AA0394DD9@gmx.net> <C75E4871-E907-4EF7-BAF0-9D1A172D581B@ve7jtb.com> <CA6A6425-D0CE-469F-B51E-9F296DA8041C@oracle.com> <CA+k3eCREgN+6z+U=jjJcPo0nZVR0GWn5zXeecZRO+rg=xd-gZg@mail.gmail.com> <A2375FE9-946F-46B3-9356-0709DD56BD4A@ve7jtb.com> <48FD87D1-4DF4-4289-99B7-40A515F31890@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQnRSNa4ymFxo5y145zP24ub6O4YYexkVU4zQSGgAqtzvSsFgSxW2I2FBlE+XUrUHkk2U9Dj
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT - scope claim missing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2013 17:40:33 -0000

JWT is an assertion( I am probably going to regret using that word).

It is used in openID connect for id_tokens, it is used in OAuth for Assertion grant types and authentication of the client to the token endpoint.
http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-04

JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0

Dosen't define JWT's use for access tokens for the RS.   

Bottom line JWT is for more than access tokens.

John B.

On 2013-02-28, at 9:28 AM, Phil Hunt <phil.hunt@oracle.com> wrote:

> Are you saying jwt is not an access token type?
> 
> Phil
> 
> Sent from my phone.
> 
> On 2013-02-28, at 8:58, John Bradley <ve7jtb@ve7jtb.com> wrote:
> 
>> Yes, defining scope in JWT is the wrong place.   JWT needs to stick to the security claims needed to process JWT.
>> 
>> I also don't know how far you get requiring a specific authorization format for JWT, some AS will wan to use a opaque reference, some might want to use a user claim or role claim, others may use scopes,  combining scopes and claims is also possible.
>> 
>> Right now it is up to a AS RS pair to agree on how to communicate authorization.   I don't want MAC to be more restrictive than bearer when it comes to authorization between AS and RS.
>> 
>> Hannes wanted to know why JWT didn't define scope.  The simple answer is that it is out of scope for JWT itself.   It might be defined in a OAuth access token profile for JWT but it should not be specific to MAC.
>> 
>> John B.
>> On 2013-02-28, at 8:44 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:
>> 
>>> I think John's point was more that scope is something rather specific to an OAuth access token and, while JWT is can be used to represent an access token, it's not the only application of JWT. The 'standard' claims in JWT are those that are believed (right or wrong) to be widely applicable across different applications of JWT. One could argue about it but scope is probably not one of those.
>>> 
>>> It would probably make sense to try and build a profile of JWT specifically for OAuth access tokens (though I suspect there are some turtles and dragons in there), which might be the appropriate place to define/register a scope claim.
>>> 
>>> 
>>> On Thu, Feb 28, 2013 at 9:24 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>> Are you advocating TWO systems? That seems like a bad choice.
>>> 
>>> I would rather fix scope than go to a two system approach.
>>> 
>>> Phil
>>> 
>>> Sent from my phone.
>>> 
>>> On 2013-02-28, at 8:17, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>> 
>>> > While scope is one method that a AS could communicate authorization to a RS, it is not the only or perhaps even the most likely one.
>>> > Using scope requires a relatively tight binding between the RS and AS,  UMA uses a different mechanism that describes finer grained operations.
>>> > The AS may include roles, user, or other more abstract claims that the the client may (god help them) pass on to EXCML for processing.
>>> >
>>> > While having a scopes claim is possible, like any other claim it is not part of the JWT core security processing claims, and needs to be defined by extension.
>>> >
>>> > John B.
>>> > On 2013-02-28, at 2:29 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>> >
>>> >> Hi Mike,
>>> >>
>>> >> when I worked on the MAC specification I noticed that the JWT does not have a claim for the scope. I believe that this would be needed to allow the resource server to verify whether the scope the authorization server authorized is indeed what the client is asking for.
>>> >>
>>> >> Ciao
>>> >> Hannes
>>> >>
>>> >> _______________________________________________
>>> >> OAuth mailing list
>>> >> OAuth@ietf.org
>>> >> https://www.ietf.org/mailman/listinfo/oauth
>>> >
>>> > _______________________________________________
>>> > OAuth mailing list
>>> > OAuth@ietf.org
>>> > https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>

v2.23.0 | Report a Bug | By Email