IETF Logo Mail Archive

Re: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-par-08: (with COMMENT)

"Rob Wilton (rwilton)" <rwilton@cisco.com> Thu, 01 July 2021 12:38 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5FB83A0855; Thu, 1 Jul 2021 05:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.595
X-Spam-Level:
X-Spam-Status: No, score=-9.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=gF06yWgy; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Ws1+tSuy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6MdvchabVQfy; Thu, 1 Jul 2021 05:38:35 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F07B3A084B; Thu, 1 Jul 2021 05:38:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=21976; q=dns/txt; s=iport; t=1625143115; x=1626352715; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=mm5dwa4C+s6zYi2HFWSrhqqf+vqkkRSoQoLzTOM7iQw=; b=gF06yWgyKllHmfXZ87Ptw0+9qCvUe7K5bSDYod2SBennarxrUHzjnrtt J3u3ZUf/MVNIbXc7+8NRJnokmaKfTcm2r5bTpnftqkEp3h7l21Q/k7qrZ CLCZdX9VtUG9ekfy/jNdFEG7+wrlejHWwbKg67LhFVg2yzsT1In+xj0y6 M=;
X-IPAS-Result: A0DbCABmtt1g/5NdJa1QCh4BAQsSDIIOC4EjMCMGKAd3WjcxC4Q9g0gDhTmIbAOVJYUAgS4UgREDVAsBAQENAQE1CgIEAQGEUgIXglwCJTUIDgIEAQEBAQMCAwEBAQEBAQMBAQUBAQECAQYEcROFaA2GRQEBAQEDEhEKEwEBKQ4BDwIBCA4DBAEBKAMCAgIwFAkIAgQOBQgaglCBflcDLwEDC5wcAYE6AoofeoEygQGCBwEBBgQEgUlBg1gYgjIDBoE6gnuEDAEBhWZ7JxyBSUQmb0OCEFE+gmICA4EfCQEHBQYBCRorCYJhNoIugi2BLyMDAQMUEyxYJwQCLxkSBgMaER8LkTsegntGiCGNKJIMCoMhiiSHNYVsgQGFdRKDYUCLAZZ/ohyTGUeEZQIEAgQFAg4BAQaCKAE5Kz5wcBUxD3sdgSMpUBcCDo4fgSQBAoJJhRSFSnM4AgYBCQEBAwl8iDOBNQGBEAEB
IronPort-PHdr: A9a23:uStVcBHDx+MiVeJs2Rso+p1GfsoY04WdBeZdwoImjb1Pfqml45X+L QrU4vA+xFPKXICO7fVChqKWtq37QmUP7N6Ht2xKa51DURIJyKB01wwtCcKIEwv3efjtaSFpB MVEW15p8nenMFREXs35Yg6arni79zVHHBL5OEJ8Lfj0HYiHicOx2qiy9pTfbh8OiiC6ZOZ5L Q69qkPascxF6bY=
IronPort-HdrOrdr: A9a23:sjabkaokcHgXjk9JIetpQh0aV5utL9V00zEX/kB9WHVpm5Oj9v xGzc506farslkssSkb6K+90KnpewK6yXcH2/huAV7CZnimhILMFuFfBOTZskbd8kHFh4tgPO JbAtRD4b7LfBhHZKTBkXOF+r8bqbHtms3F9ISurUuFDzsaFp2IhD0JbDpzZ3cGPDWucqBJba Z0iPA3wwaISDAyVICWF3MFV+/Mq5ngj5T9eyMLABYh9U2nkS6owKSSKWna4j4uFxd0hZsy+2 nMlAL0oo+5teug9xPa32jPq7xLhdrazMdZDsDksLlWFtyssHfsWG1SYczEgNkHmpDo1L/sqq iUn/4UBbU215oWRBDsnfKi4Xi67N9k0Q6S9bbRuwqSnSW+fkNhNyKE7rgpLicwLCEbzYxBOe twrhGknosSAhXakCvn4d/UExlsi0qvuHIn1fUelnpFTOIlGfJsRKEkjQho+a07bWjHAUEcYZ 9TJdCZ4OwTfUKRbnjfsGUqyNuwXm4rFhPDRkQZoMSa3zVfgXg8liIjtYMit2ZF8Ih4R4hP5u zCPKgtnLZSTtUOZaY4AOsaW8O4BmHEXBqJOmOPJlbsEr0BJhv22tLKCXUOlamXkbkzvdUPcb j6ISdlXF8JCgvT4Je1reh2Gzj2MRKAtBrWu7Nj26Q=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.83,314,1616457600"; d="scan'208,217";a="726509689"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 01 Jul 2021 12:38:33 +0000
Received: from mail.cisco.com (xbe-aln-007.cisco.com [173.36.7.22]) by rcdn-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id 161CcVwS029739 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 1 Jul 2021 12:38:32 GMT
Received: from xfe-rtp-001.cisco.com (64.101.210.231) by xbe-aln-007.cisco.com (173.36.7.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 1 Jul 2021 07:38:31 -0500
Received: from xfe-aln-004.cisco.com (173.37.135.124) by xfe-rtp-001.cisco.com (64.101.210.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 1 Jul 2021 08:38:30 -0400
Received: from NAM02-BN1-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-004.cisco.com (173.37.135.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Thu, 1 Jul 2021 07:38:29 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gSFafSZg9BdxhMucg9NSYIvV1k5UHhBbM88DyO3CsSrajsJZ8iwhT7e1iHIZLXPekrHr4Kk7e2pLfG6b2ZHcwQMHqPKOoGKb9PPZXmUqM+y+zfP09/kUo0UrL/piNhiveZerE7dWcJIjE+VxSBhicc7pQ/UmO1y5ZGztqtwvBD92vMzlmFh9PRfacwzpmgfwLUV2Gh3XrtGVS+h8Qe0tDcafrd7v/1uMRDnVHyKljsx4KLRKuIQkd38tVcfcD6/8oejf/ZYlwfCRJRUfRWg5/4CjSx5JSDmppGqdfJE6nnDihQlMu6R6+XeAxM2FePLGLkvgrv76ISYomgnQMEWDcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mm5dwa4C+s6zYi2HFWSrhqqf+vqkkRSoQoLzTOM7iQw=; b=jGli0ObKc42Zzu73pWkUwUQcrSc0zbxP2Gu3MVIvf0d51hWXQKA87CaVpM/cA+0gE/NbnWj6Dg97UdBU4ZuiyzFQ+pu1bPzh8SVTgBgjbvS0t5ipWJKk3YNG+tUArmpmRISOfBHBim2af4IGuFEQqVIz20g8LBqSgxs8OQac/oBfZMB4cWkobbmkkYbhZV6H3FEanCro6o5GgTM9H6Y+CxSKfS5b31KDUKItolPcM8eMz7MHQ7kzMmJRRqSrGIGoEZiH3od8pMVeLRVFSPuq6IfFOCJW0A7ZZ1ITnBUgoQj1+WmCtVo4lQFBwkpqSJxL4AjFiZ6qqDnk2lO00ineRA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mm5dwa4C+s6zYi2HFWSrhqqf+vqkkRSoQoLzTOM7iQw=; b=Ws1+tSuyKnMxJzoVDkDd9cODZWPYHHvEiuxbIav3Juzmo/BV7tt4lbdSCgtcbFHCBszr9hGeoTht9hKZpEAt0gtguswGdBbw49NQysCP50kJv0Vyd9lTIbPsXb7wEzG0vp1pgmXAmUZIdgO6mbjFl25d1edaY1PTDbbhrAzlovI=
Received: from DM4PR11MB5438.namprd11.prod.outlook.com (2603:10b6:5:399::21) by DM5PR1101MB2172.namprd11.prod.outlook.com (2603:10b6:4:50::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.21; Thu, 1 Jul 2021 12:38:27 +0000
Received: from DM4PR11MB5438.namprd11.prod.outlook.com ([fe80::a85a:cb8b:2d73:5e12]) by DM4PR11MB5438.namprd11.prod.outlook.com ([fe80::a85a:cb8b:2d73:5e12%5]) with mapi id 15.20.4287.023; Thu, 1 Jul 2021 12:38:27 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Brian Campbell <bcampbell@pingidentity.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-oauth-par@ietf.org" <draft-ietf-oauth-par@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, oauth <oauth@ietf.org>, Hannes Tschofenig <hannes.tschofenig@arm.com>
Thread-Topic: Robert Wilton's No Objection on draft-ietf-oauth-par-08: (with COMMENT)
Thread-Index: AQHXbMR39Yh4VElZOU+lbg10KM0zJKstD5eAgAC8KfA=
Date: Thu, 01 Jul 2021 12:38:27 +0000
Message-ID: <DM4PR11MB5438A0C76AC3DEC2A194CE63B5009@DM4PR11MB5438.namprd11.prod.outlook.com>
References: <162495689162.17201.16673826726221874767@ietfa.amsl.com> <CA+k3eCQcouZOVbeN96pbKny5MBBf=463g4nrDyPFzWx2SmGN_w@mail.gmail.com>
In-Reply-To: <CA+k3eCQcouZOVbeN96pbKny5MBBf=463g4nrDyPFzWx2SmGN_w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: pingidentity.com; dkim=none (message not signed) header.d=none; pingidentity.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [82.12.233.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5f66264c-1e81-40f1-21a2-08d93c8d2011
x-ms-traffictypediagnostic: DM5PR1101MB2172:
x-microsoft-antispam-prvs: <DM5PR1101MB2172385673133F8151113F18B5009@DM5PR1101MB2172.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: O72774Htj/Ekpef2fEiZgNLfRJbDsBXd/yxuklpvvcY9MZToY1GJFSwbQadksakZtCOmkFYqh7xLDOYTBpQ5eg1lvbdULSHUirY6Fiw3nLV0AfqnxAWa7OpClphLpWGvQCih/HCen8+sNjeql0e0nps4uBh9x95jpXcwp9VdlRKhdU+2IVxls6ahH+0oCLaZ/wX5+OBNPCcmr+AtVFP54xKMS57uOPw3tV2Fys0qFzdEMhF5+DH8tfAyLcNC5sUzeUtEZr1gnSZOmmEJ1t+eevbtaKuzAsBlJO0N+u14zX7pnblPQ2NsmEKdXN98YLgOaNuj7uD7Rg8oYRd/yqifWmlQmRCy6R4eMxdYZkNiSXX7M6fIzDKLzNtc9sGAx97NGaOTcRC0fryVhkvCZzUY99pObMm2JZqaLpvMuTMH7DZjJ08dCXzcQaz4KHC1SwRaQ213zkQD9OKuJzDzJ7njU+obacKvJXN1zU+SXZSHgfyFY4kMPH7sXYvv4k9sINKK4/g4Qbw1TkOrcMTpOh6+7WshBMg0tOhYJv+CkaNs5qJNyl4nUqoWYIk6VJOfQdexgS2gmQYZHueG0udsL9WyzoBPABt12Wdhk+H7hkFq0SRsZ5YTwwVmquzr96RsdnAYmLi5ymjMQWRiIbRrgkWFMm+4aG/gY3FHcAvXKd9+8wx9gkuViVRKfvQNa4miCzXZi+6gKJpXpvbbOsCP1DpQvFh12BkGmyDcME+K555n9ZKlkqw+mH3yVn+XpEf2Q4I40BpHBrOTHD8/S68AJRL5kg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5438.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(396003)(39860400002)(366004)(376002)(136003)(52536014)(316002)(8676002)(54906003)(4326008)(8936002)(166002)(83380400001)(86362001)(186003)(66946007)(53546011)(9326002)(478600001)(26005)(9686003)(6916009)(5660300002)(55016002)(2906002)(66446008)(66556008)(71200400001)(38100700002)(7696005)(6506007)(33656002)(64756008)(966005)(76116006)(66476007)(122000001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: PT+LSdRYLeNQalIAVI0+ZHmiQxHENM8AXo5N0i0eyxVuZ+WIgJ4ciTVGyavar3pW2PGJItaIIp9XA78IHoyifLhncvn64b+BXbRXcb60+j0AC+ong4cywerOiM3URoarUFyQxMeFoXwHzB1P9PbzaMRtKvMzMPy0IDVMfZAThSLCT3jhYuGC2EeJDt5CeRQlZlxE1Ohst2UgyNr9aDPOM5u2skerTYjQ3RMMHhb3ITq1ypG3V+01g7Y7uI0bhTRQpzVjukp/Bd0agyKb1PQKkPPap6O4v0e0cIZjpgX+OmjXUhq/a4HhZmYouUYrcir6Hjj+6o+8RY6OQcxrXb8F4MMQMWXIV1W2L+bx4bnWkrU5zfQURKs/OQs/34GRD+MhF/36pX2o4d2EnvfKshlJWqbYLksnH3rJ4/au0kflj90e2KcgRP2Y0wPJVdwo0bpgdiiTQx2VRt89HQhn0ffxRfswA8P7DIqxhMOK+K1kKbuxzHmFhipKi+2QjhNXjvHcHRI+2VPH7jUyyGO9Kw5NkMhpi9vLi4awYUxItWkc3jupYahOuj7mQ+984JaJeEQHzqhZtDMfnR46EtOtpEpRl+wdr4rxOHRDoeFFBk0/OvJz6wqtvUE23mrtYMeoGxS3szAN/7Uid8HdgOtE6v9h+6y8KdShwpK7qbvoUWlGrVXFhKu6SM828w2J4vV6eofLEodeZPGbhha8IHY1tQMZSKg8DTA4duOu05pbY7wFr/1YUWOdjgkJjvyE/G5OBG1WlUE+DRXFzCeGwWtKEomPcaKm80fJ5ZMYmNLon9kTo/fRFkNOx9GPG/+yKqElafXS6iVyhhoQZKPjcnQTtWtwSSwA0xxPo9evf1Y32n8xVZGsjSBliAferKaihmSBFekwVJQPLyysw4UmBlHqRc4yuhYPW0J0qdL85ceNuUgK3jZDmKvxmbiIqYZGETKOLct8vy2PEsr5S2u4neGaOZy2O2ACcS+lFB1/8MQlpar9TwSm1fUc3KwYS7lkB5xJJteBVViPXaVwyf0hiSZ4afIk3OqVTK6fY3F1duOWPfzF7Jn5L81wKH/em2du4YAcXUFN28wf3J6aS76p82tpL3Ja+GBGSEReuCsllsAY/58RcSeNSIOhTpv+966rgtxRdM+rzH+3mgYVyQKVgAh0LwNPMLG+qk9E8crruzYOhrZmLB309qRPA1A/7Cw9QI3eoFgyedXTL1VTHCubW3cACdsZihoSw6dUo/eBK6m6UuNfLdCXlPPVaU1onSIHNimP49MZ8ntnJz4ULNPCp13GVpKrYj/KsdzrjogqEfE5wsYgE3tlBerKzon9IdFgOkNht0vb
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM4PR11MB5438A0C76AC3DEC2A194CE63B5009DM4PR11MB5438namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5438.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5f66264c-1e81-40f1-21a2-08d93c8d2011
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Jul 2021 12:38:27.4261 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BC3KglElaKvtP8W8hcz8qdiYgMwz+15Mg7UDrNOauOPzbERFL+Y/uSU9cJSvPusxdz8RPD7z+Qad+HAaUUY57A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1101MB2172
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.22, xbe-aln-007.cisco.com
X-Outbound-Node: rcdn-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/U0HH6vfwIAMO1KiOMyd62GX15jA>
Subject: Re: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-par-08: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jul 2021 12:38:41 -0000

Hi Brian,

Thanks.

Regarding caching, yes, I think that you are right that POST requests don’t get cached.

Regarding the lifetime, why wouldn’t you want to specify a limit?  It would seem to make it easier for implementations if they know what they never have to cope with a value over X.

Thanks,
Rob



From: Brian Campbell <bcampbell@pingidentity.com>
Sent: 30 June 2021 22:12
To: Rob Wilton (rwilton) <rwilton@cisco.com>
Cc: The IESG <iesg@ietf.org>; draft-ietf-oauth-par@ietf.org; oauth-chairs@ietf.org; oauth <oauth@ietf.org>; Hannes Tschofenig <hannes.tschofenig@arm.com>
Subject: Re: Robert Wilton's No Objection on draft-ietf-oauth-par-08: (with COMMENT)

Thanks for the review Rob. I've endeavored to reply to your comments inline below.

On Tue, Jun 29, 2021 at 2:54 AM Robert Wilton via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
Robert Wilton has entered the following ballot position for
draft-ietf-oauth-par-08: No Objection

The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-par/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Hi,

Thanks for this document.  Outside my area of expertise, but I have a couple of
questions/comments:

Section 2:
   Due to historical reasons there is potential ambiguity regarding the
   appropriate audience value to use when employing JWT client assertion
   based authentication (defined in Section 2.2 of [RFC7523] with
   "private_key_jwt" or "client_secret_jwt" authentication method names
   per Section 9 of [OIDC]).  To address that ambiguity the issuer
   identifier URL of the authorization server according to [RFC8414]
   SHOULD be used as the value of the audience.  In order to facilitate
   interoperability the authorization server MUST accept its issuer
   identifier, token endpoint URL, or pushed authorization request
   endpoint URL as values that identify it as an intended audience.

I may be misunderstanding this text, but I note that by giving flexibility to
the client (i.e., the SHOULD) and being strict on the receiver (MUST support x,
y, z), this seems to encourage a proliferation.  Hence, I was wondering whether
this might be better the other way round.  I.e., be strict with what is sent,
and less strict with what is received: MUST send 'issuer identifier', MUST
receive 'issuer identifier', SHOULD receive 'token endpoint URL' and 'pushed
authorization request endpoint URL'?

While definitely not trying to encourage proliferation, the text is aiming to help interoperability while also accounting for the treatment in other documents (RFC7523/21) and existing implementations while also allowing for consistent processing to be implemented across the different endpoints where JWT client assertion based authentication can be employed. It's kinda tricky and I don't know for sure that the current text is exactly right but it's made it through the WG process and seen a number of implementations.


2.
   *  "expires_in" : A JSON number that represents the lifetime of the
      request URI in seconds as a positive integer.  The request URI
      lifetime is at the discretion of the authorization server but will
      typically be relatively short (e.g., between 5 and 600 seconds).

JSON numbers are doubles, but the value is a positive integer.  Does it make
sense to put in a hard limit of 2^53, or given that these are expected to be
small numbers, 2^31 - 1?

 I think the soft general guidance is enough and don't believe a hard upper limit is needed.


3. The success and error examples both define:
    Content-Type: application/json
    Cache-Control: no-cache, no-store

The document states that the response should be JSON, but should it more
specifically specify the content type as "application/json"?

Yeah, it probably should be that specific. I'll add the content type specificity to the document.


Similarly, the
cache control makes sense, but should the document mandate that the response
must include "Cache-Control: no-cache, no-store"?

Although it makes sense not to cache I'm less comfortable mandating cache control stuff - particularly for a response to a POST (that I'm not sure is ever cacheable anyway) and for a client that is most likely not doing any caching at all and would immediately encounter failures if it were.


Regards,
Rob



CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email