[OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up)

Brian Campbell <bcampbell@pingidentity.com> Fri, 25 April 2014 19:00 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 9159C1A03D7 for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 12:00:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 9_WJEomw_rnB for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 12:00:05 -0700 (PDT)
Received: from na6sys009bog031.obsmtp.com (na6sys009bog031.obsmtp.com []) by ietfa.amsl.com (Postfix) with ESMTP id 3AF381A031D for <oauth@ietf.org>; Fri, 25 Apr 2014 12:00:05 -0700 (PDT)
Received: from mail-ie0-f174.google.com ([]) (using TLSv1) by na6sys009bob031.postini.com ([]) with SMTP ID DSNKU1qwroTBRI/R5e/HAd9YqdHxK+TZ7FvD@postini.com; Fri, 25 Apr 2014 11:59:59 PDT
Received: by mail-ie0-f174.google.com with SMTP id rp18so4078322iec.5 for <oauth@ietf.org>; Fri, 25 Apr 2014 11:59:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=rK5fL7q4uiEp+ewbikZnGs6W0Wz0JfJBo5v7ic3OfnI=; b=R4Ojhd/HQjsB8TNqMbDMnNJcJ/1fMyLie3ezWdwwfytOIlZxuoa5cnJYwQNHUVXXmY BBXfxRdGeaRYAqORRPf/Ica9myqO8FdO9aYcImHAerCPo2psIhia95fwnMhyfG5SmVts n3WQJkSbNmZAJA/DhAmzW0OJewHuAgC9ujwbeG0DD9Sbsi57yn/8NtUtkKr7NWiQXm+G Y2f/S7K/rvyQPEWB0v2xlz2Juj6MftTDvvwq9ixHa9VynjqTH8sEu5ahdU+JRyp8UFC+ 9D77xm0Yf8UegtGBbQgAY6eEKwmbnxeph+0eMYRo0S7G3bACFgTvjMfV9zS3O5oSF3Le RTgQ==
X-Gm-Message-State: ALoCoQlw+7F09eSlcOh1lB6HU79Z/x+EpxoxxrTppa1iw2t6Ve2oF3552vE9Y5S36rTEDA/9fK67+uxrt+ciSrfsBEnkkBB0zOIYeM3bXY6koKD8gl8buMS7oITvajxuZSIUMU2LiXlr
X-Received: by with SMTP id hv6mr7109864igb.9.1398452398362; Fri, 25 Apr 2014 11:59:58 -0700 (PDT)
X-Received: by with SMTP id hv6mr7109851igb.9.1398452398264; Fri, 25 Apr 2014 11:59:58 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 25 Apr 2014 11:59:28 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 25 Apr 2014 12:59:28 -0600
Message-ID: <CA+k3eCTeBZNh8-dhtkjbCJdJ6PfciZQNQOznJj+jdik6Z6Detw@mail.gmail.com>
To: Bill Burke <bburke@redhat.com>
Content-Type: multipart/alternative; boundary="089e013a1d8e6f238d04f7e2920a"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/TqShotNz44ct0BL4aKlTEvfFQV0
Cc: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 19:00:07 -0000

draft-ietf-oauth-jwt-bearer is only about interactions (client
authentication and JWT as an authorization grant) with the token endpoint
and doesn't define JWT style access tokens.

On Fri, Apr 25, 2014 at 12:51 PM, Bill Burke <bburke@redhat.com> wrote:

> Red Hat Keycloak [1] only supports basic auth for client authentication as
> suggested in the OAuth 2 spec.  But our access tokens are JWS signed JWTs.
> Does draft-ietf-oauth-jwt-bearer relate to OAuth Bearer token auth [2]?
>  Or is there another document I should be following?  I'd like to see what
> other claims are being discussed related to JWT-based access tokens and may
> have some additional access token claims we've been experimenting with
> others might be interested in.
> Also, I'm not sure yet if we'll implement draft-ietf-oauth-jwt-bearer to
> authenticate clients.  A lot of our initial users are more interested in
> public clients and/or the implicit flow as they are writing a lot of pure
> javascript apps served up by simple static web servers.
> [1] http://keycloak.org
> [2] http://tools.ietf.org/html/rfc6750