Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
Denis <denis.ietf@free.fr> Thu, 14 May 2020 14:29 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D1E23A0AB4 for <oauth@ietfa.amsl.com>; Thu, 14 May 2020 07:29:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.496
X-Spam-Level:
X-Spam-Status: No, score=-1.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.4, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zh0ZghnuK2WM for <oauth@ietfa.amsl.com>; Thu, 14 May 2020 07:29:47 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp02.smtpout.orange.fr [80.12.242.124]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 335B13A0AB0 for <oauth@ietf.org>; Thu, 14 May 2020 07:29:46 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d55 with ME id eeVj220094FMSmm03eVjM3; Thu, 14 May 2020 16:29:44 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Thu, 14 May 2020 16:29:44 +0200
X-ME-IP: 86.238.65.197
To: oauth@ietf.org, Vittorio Bertocci <vittorio.bertocci@auth0.com>
References: <CADNypP8t4oVUpoqOFhb-Aft-5C4Z2F9O2vBxh6QxmkHrWkN_gw@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <7cf781ef-67c9-eddd-3076-403e59e371bc@free.fr>
Date: Thu, 14 May 2020 16:29:43 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <CADNypP8t4oVUpoqOFhb-Aft-5C4Z2F9O2vBxh6QxmkHrWkN_gw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------9DE4E1B69B1BDCC34C1FCC14"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/R1m_L2KsKAZSp2hungVgD8sWieo>
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 14:29:49 -0000
The current version of this draft is "draft-ietf-oauth-access-token-jwt-07" issued on April the 27 th. This means that comments sent later on on the list have not been incorporated in this draft. In particular, this one sent on April the 28 th: *1) *The title of this spec. is: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens So, this spec. is supposed to be targeted to OAuth *2.0. * However, the header at the top of the page omits to mention it. Currently, it is : Internet-Draft OAuth Access Token JWT Profile April 2020 It should rather be: Internet-Draft OAuth *2.0* Access Token JWT Profile April 2020 It has been acknowledged by Vittorio on April, the 29 th: /> The title of this spec./ Fixed, thanks! This means that the draft document currently available on the IETF server is not reflecting the agreed comments. Since then, I questioned myself how a client would be able to request an access token that would be *strictly compliant with this Profile*. For doing this exercise, I took a look at section 3 on pages 6 to 8. To summarize my findings: * the request MAY include a "resource" parameter. If the request does not include a "resource" parameter, the authorization server MUST use in the "aud" claim a default resource indicator. * the request MAY include "scope" parameter. If a "scope" parameter is present in the request, the authorization server SHOULD use it to infer the value of the default resource indicator to be used in the "aud" claim. It seems to mean that if the request includes no "resource" parameter and no "scope" parameter, the access token will necessarily include the "sub" claim. If in the request, there would be present a parameter meaning "I want a token compliant with *this OAuth 2.0 profile*", then there would be no problem, but this is not the case. In the future, if additional parameters are included in the request, will the "sub" claim necessarily be present in the access token ? If yes, this may be a privacy concern. On the list there have been requirements for not making the "sub" parameter mandatory. This point needs to be addressed and solved one way or another. Denis > All, > > Based on the 3rd WGLC, we believe that we have consensus to move this > document forward. > https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/ > > We will be working on the shepherd write-up and then submit the > document to the IESG soon. > > Regards, > Rifaat & Hannes > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Steinar Noem
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Vittorio Bertocci
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Janak Amarasena
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis