IETF Logo Mail Archive

[OAUTH-WG] Re: draft-ietf-oauth-status-list: separate URIs for JWT & CWT

Christian Bormann <chris.bormann@gmx.de> Mon, 16 June 2025 11:29 UTC

Return-Path: <chris.bormann@gmx.de>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A5764356B317 for <oauth@mail2.ietf.org>; Mon, 16 Jun 2025 04:29:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.795
X-Spam-Level:
X-Spam-Status: No, score=-2.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xXa0x12tWCLo for <oauth@mail2.ietf.org>; Mon, 16 Jun 2025 04:29:54 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id EFB15356B310 for <oauth@ietf.org>; Mon, 16 Jun 2025 04:29:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1750073392; x=1750678192; i=chris.bormann@gmx.de; bh=gxwAM6omDbymFDr4hLqvJJJpEfWKPUVyxQh/FdqhmBE=; h=X-UI-Sender-Class:From:Message-Id:Content-Type:Mime-Version: Subject:Date:In-Reply-To:Cc:To:References:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=IGRnbDQ08wCGDSKZPxHT5keFjSYGiOjxenADnwfRJg+3ZHNoNhWS73sHFO+c9Eej aJny7XHUJcb4BCpbO9bPjGpOvUOAKVP9KzwUodADZ2rm7ayXSmAK3uqahmXbsE8Uf POfic9QkW2ouXCn926Jy/cTdAqH3LgeYB8ti/KoSsbyDk/4r8YIk5U/7WIbbQO5/r S+odxFwJ+UrpuchSwzWskDAeVaIgFwi7PyhmdcNPDj46h418oZ9TuyznlBVcGzqJ9 nN3qvDSHksIcpfG6zwvVQJwetlBeUr9AStyKj6lYm6XJVmbSkXSh78PKvfcvsB0LC 9Bdpt3FIRwinl8kpqQ==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from smtpclient.apple ([95.208.68.89]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MxUs7-1uh2K120zZ-00vwQp; Mon, 16 Jun 2025 13:29:52 +0200
From: Christian Bormann <chris.bormann@gmx.de>
Message-Id: <C23E3BD4-19E9-4D62-A8A5-81092B52BCE0@gmx.de>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A5BF7702-0236-4B3F-B45F-04773B11F627"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.600.51.1.1\))
Date: Mon, 16 Jun 2025 13:29:41 +0200
In-Reply-To: <SY4PR01MB8517FE4B44351338770E2FDCE56AA@SY4PR01MB8517.ausprd01.prod.outlook.com>
To: "Manger, James" <James.H.Manger=40team.telstra.com@dmarc.ietf.org>
References: <SY4PR01MB8517FE4B44351338770E2FDCE56AA@SY4PR01MB8517.ausprd01.prod.outlook.com>
X-Mailer: Apple Mail (2.3826.600.51.1.1)
X-Provags-ID: V03:K1:6KTNtwMfPpsbLRjKLwFKH78553Io+zBe/8UM0mhlkLMzhEy3eES rwzZwMMtBhK4naBfPHZNZEPFOAaxZxLBoj7ItClt265fqLiuxcqgEuMekgf0s17i15hOToC 0fQnIHo3mdnaI/GX5aivacacZ6AYhhcWxzUhzNj92Byjs+kwnB17gm0Th0UHieAqYg2bGvD zwylpS9HM1kzFOUjs3LOw==
UI-OutboundReport: notjunk:1;M01:P0:ZfS1LoJaZO4=;gXlrpGqHVZOtGsMlDVitrZaXwtr JJnsQ1BCehivQjuHD5ytO+UlI97KWZxco9G97JKukt1hO1y1GcXmUwZeKlNEmKZo5WoEBXaOb C9aciZBsjjRv908kI8fpKdeiPqo/+BLOzrKnu1JiIQNGCxItOPvgGKOEC1rHoxAXXt3TjOF1m +71P4zUJ3IL0igbwABW6wRmJDc4exuhbaiwbXaX520E9yUTTzXEDrW+uf2FVe8cnPnaWkPY/k cnCywbiV875ByO6fbXUCYlIFrJ+aF88wOYNFjbuv8p2ILOlctfB8B6tEIdy69vZJb3BBh329j iiEtmYFxZ1RaNnv2EpqzpVAIpwPlUrvev0mCB5OkB9j4FzKQ9XDhUEB8DQvc2oq6wsHQEbBa4 4lhfiajGO9emur+8qvpMP465N5YMKiyLiQnBwVHY7UG3FOJ7mlxRpogl9wvkvykF59gJj60dT tnbpK3oHgNtYQWrX7DFyyesGv/aYHmqdzcvtnmkujeWpYx/lt8F2ISeciWJfJvyIGMtz/w1w8 t8RvN29xGvlN5mxf09EmOZpEg1AL1VjFU8HLp+1FDVnGI74U1YAxAlYm9yLoPRQBnkIm0wD/I MaMILCFxE9j918pDfLFVLyQhe7y6oxwXjMmy8kW6sbJDUIuJTbO1fAa0e4qJ7XkTT35xIWrna yyJAMJYLWmx8C/rew8spFPVesBC6lPr7RldUFiyTEwUjqrbTC5lZlfVpIcXNfJ0M2/w7YDJzX lv9W2d5wOgX4e9fIVCiZHKfd2ga5SO5wDPKzlz1aWDoxrRd7M3OLOwptaReg6sMp+QAOsU6iU 8YuWhVfSmYFCuTkW1pL4Ujy1c6n1ceXXZllgw9xB1tpNO2GSMOgdUBEbHOGA/EAkWckn+92Kx CR4wiqaiA2slBpHwUK9G4vuc8YZHgxN1h9vqutFwtJsopgDYOONsUO1OrrmGeW+0+alTdaxhM p+ECEWOXrEIkJ1pfpmfmHsdWtLzWRkE7CzdRwY4ov78BStVM2K1Pnl6iusNBvEfzi+wtC0RZz aIcETeoM2UBaXBPXHec6kyT/0U/VUuLNezClP01iRYJFEmPiqgjCjHF7RrhJQfHgYMUCbK+dh O2/2zM1PgjkvJlOkPsy8V3Ht7+lMQ5JO+bIdGhpYaVyMQ+JFeWYp79jp1pdFDJa69Q2gI0E05 jXRaK6hApWH6/pr26/elDk7BNCWRufoNElrlAQ36kZ1ubW+uaUbvfZRRp4uOLwigFw1kHER7A mNX6+/o3L77OIxRQIy/hY9DRBzgKHyZBhj4MWg1cD/qFX0Ro6oBDNyuJjGjqFHnNf43oesOMS fh/ndXAnbnF+0otICjBcDwzzKE1zxRIkfkRrRsBuK+gilZ1laXFebA+jLk6kKxzysgH8g1LWw 9WNKySriyrk3bZqaOv8fdR3W6C2anwYFWJxRN1zZiVEqiTyZkmLP4nb3SnZjnl7MS1L2htXHa HFxdI48a5EbFkaoHvBB6nR8vVHU1Qx9J9Pd7BAPYxo7tqDEKdNna/IzY90piuqghzyGWAmM5v GLlUcjq7Eh8zQ8EW9ecno8gdoNjdYIz91bDDvMXOyBBdaqlNIo9Hv5rmXmbKR7up42FFDeFkp XbixUqK95dqAybEF7qs6q1ojxDKRowAXo/057VybvqmnV662j/3lsO92y/dHNB1UI1X8Ibr9y hxyVTVB+uHixFQkJkDhBcoBxg9THhNU2xgYmK/H2qlffANFQlHEBwDAvsIaaYq3wrsA72f+jZ 3Ag4hepNpDN2bA8VPdbMTbo26eewoe8+vUGbh4H2w/WnP7asV700yX3Nf5RwZTE6SJJ7QcGu7 EFddF+MghgrIZI52PgsrvHU/Fg2IrTlDT0M8MncV+4JAajGhvz9JZn+RXa3KEZCKyuyXsOxPO jdMmebPYdnJIYVAPtSSKM206VCtZadogyNoBl8f7P+i7on+uEdO4wIANzp+Wtk5qXgPZMX6By U02Dc2sCSyYex34V5P8Hr/KeNhG/FVJ0AMryI3Y76oY2+Nlb7bTd4gW+qGt9+pHcowpn4IIC8 mlTrVToMQ0D/KKqJJU37CC5DyUe4wuWF/wBhfwWwYJH4E0qr5SurHswGRZ3BdlxqCwRMp8xqe z+7GHyY1Ol44KZIMOgq9sXSWd11lP4MLqYaA7Lwk9Z7zZIDEuE3XFh4tH5g09r5SJMqkhj5GE VeA89Kgviq60SQusMqF8C2x5WFA84zJ3twYMlSAmHHfXYzt9HcCuS0/FQzTKcVyTGKEa8hWjC YYq2AKTEoMkfsPzNVNsJw2srSlRb2n/sURqpl84m706hkkwH1z7RyqSsfsc6nU9ge+ZxNyc4f ZBLmt5pyJ4AWE0QLXqcjGKxLVO2oSXX+7pbSeEx7JQgI15JDGpuoiYtuiNRFdewPmsaNPwrhe l1e6bOmo1m1vm53vNN/+CJhtslnRQWOMyYSc56QdxGdJFUDhIJCwU1lbuN+T1f8NFBJ55G4lg VRIEtuzftF6GvvZ/UcKCAK6RYaY5U5004hkmNBKkP3ctW56619bD+GFA7E++/PKZ9rmQlFePd +TRIvzMjKUXx7+SxOzSPOz1C4oPH/dRZdKQDhZUuMwTsmQJHafTmvTbspOPKDqQzw6E6ojRPM mGzm2toO8hRpWpoIifmjgXt0YmH9F7hv7aExcumnVAcox8ZbJR1iXlL/wFU2K/bOXKYP5pFwn swarawbeVwFUHtG4I+8BLgQ/U2u8dkqaAs1AqA4oM1xPHAvSAmwI98qmn4Q1EZgUeJCK6zqn1 a7Q0JoYv6XJidBYLLfsUhxwClqlCbZJ4dz8IHr7eg1cFNs+n1UpZPH7oYtzXtAPdNPRyhpKXu CKsNpvYxWtP/s1umOm4D/BBEAy267QM3MbfUwxISQutab3ajCwT/8cakMRhnfsQEeIWEX+DSz H3lzD6Ai8ppWpYi4YiYQClBsgbmxKwa4Nvq02d/wmKxeYY/ryPvC/gIHUWrhGSJXpNIX9DhDw oGruJOGJPJlbC5heBxxw+OBfKTwEdA9Wy4jt/0kYH3DGeXAJIh+/bEjAky19YUXeM4Dq3mzyC e4kpg5MvD5UsXjcuWssyjyF8ijx9cQLGCqt3stZXKH6EoNihmW6M8HTOT9/5AL2TWhPmyv7HD ATkwCrpsxuk02YC6U2yGyaAM2hWExbHoJiTaM1KS9L0mdPxoTGYxHFvWYcVH54a2HUArl/wns K2CZFY6TVov09aqSmAfp9vPBwx1vfOEYHRfQdGbVVIiHX9/SfemJ4dKXu0429fhmS5+gu87ZP KjRKthBtPlexT11O/oxtvvWyHjDZ5X4ICCoRZbDMwmA5krHtyMF2imPLtKsVH7+rljCCRQ2Xg 0gBnsOuzOYBQrXPt5mm7o7USzZEOFbZoV8RZ+yDpwXo+2K0XQPk1JMfTKqws9Rw9PqkUiatS1 ecov0ls/PmGEPgY90OvY6NjoUdT2vF7Tkkd4b6bro=
Message-ID-Hash: QEHIPFEUXGL474JQQGNSMPKEFSPXXCEP
X-Message-ID-Hash: QEHIPFEUXGL474JQQGNSMPKEFSPXXCEP
X-MailFrom: chris.bormann@gmx.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: draft-ietf-oauth-status-list: separate URIs for JWT & CWT
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Rf19Wr72adsPj5N3jJU4RQRGtsE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi James,

Thank you for the feedback!

The important part for the client is the `Content-Type` Header, which signals the type in the response. The Accept Header is just a nice to have for scenarios where the status list token might be served in both encodings which is probably more of an edge case. To the best of my knowledge, Content-Type also works fine with caching etc and is supported nowadays by most CDNs.

This topic had been discussed in previous IETFs (especially IETF 121 if I recall correctly) and the consensus has been to make Content-Type mandatory and not pull that signal (what type of status list token) out of the HTTP request. Alternatives discussed included pulling the format into the URI (suffix) and the claim directly if I recall correctly. We were also not sure about “only" Content-Type as a signal before those discussions, but following those discussions, I think expecting content-type in the response is a reasonable demand and clients should be able to deal with the payload according to the header. If Content-Type is missing, it can also be seen as a pretty clear signal that the client needs to probe the content (e.g., try CWT and JWT decoding).

Best Regards,
Christian

> On 10. Jun 2025, at 05:01, Manger, James <James.H.Manger=40team.telstra.com@dmarc.ietf.org> wrote:
> 
> draft-ietf-oauth-status-list offers 2 formats or status list tokens: JWT (JSON Web Token) and CWT (CBOR Web Token). But only provides 1 “uri” field. That’s annoying; not developer-friendly; and unnecessary.
> 
> I suggest defining 2 fields: “jwt_uri” and “cwt_uri”. At least one must be present.
> 
> 
> 1 URI can “work” theoretically, but only if all clients and all servers always use the Accept HTTP request header to do content-negotiation. That complicates all parties. It means you can’t just paste the URI into a browser. You can’t use the simplest HTTP GET method that every programming language offers. Caching … who knows.
> Perhaps the worst part is that 1 URI will mostly work even for clients that use a simple get(uri) method and don’t bother about the Accept header. The URI in a JWT will return a JWT (the URI in a CWT will return a CWT). The client will assume the result is what they expect. Then some issuers will require content-negotiation; some clients will break; those clients will be “at fault”, but issuer may need to hack their content-negotiation for interoperability. Better to offer 2 explicit fields for 2 explicit formats.
> 
> —
> James Manger
> 
> General
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org

v2.31.3 | Report a Bug | By Email | System Status