Re: [OAUTH-WG] About JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens Fri, 02 April 2021 19:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3EA933A2040 for <>; Fri, 2 Apr 2021 12:18:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wszeb_W21Odg for <>; Fri, 2 Apr 2021 12:18:13 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DEB0E3A203E for <>; Fri, 2 Apr 2021 12:18:13 -0700 (PDT)
Received: by with SMTP id v10so4145620pfn.5 for <>; Fri, 02 Apr 2021 12:18:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=zD09ScUBub9iXtSBZKXC4M1i6J2x9y08PrYcxsJetCo=; b=XvlL+gPHdBWJHi7uDeLj5Zcq2jXH+i3NDaMeWc0Q03LbhVGve6uaF4vi2xYb/Cr8Io c+gG/Gy4sILWrJiTIhCmdf4vcCfyGUJQmTa1L3I6F3HjNAAGXc9gRFpMJ4AGg6qbP6TO gRP5rP9Qq6i0yiLNtaNEiGQ9nXDVDHr/w6RCGOIrcBbciYc53IUwfKmFwBgc0+81ZM3p mS4diFnSe6ZXzm2uauRFVA+BguSaKQKLG1wYUH02ZITmF6VSg6kBCVMsabTFxSHKd2Uv QJ7y5FQ841EwY9EqNSoDtwTjAiDnZ8LT9sANRr8bHPMNCp57GIRk9VcitpLMEdFq9D2y 7aZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=zD09ScUBub9iXtSBZKXC4M1i6J2x9y08PrYcxsJetCo=; b=B+G+Gp65kyIBVORy5gGG2MlkZtyT+WETLf+zEvc7g6jmi2zUDNi/LDZXUOi4vJl33z kB7dc1ZkMvBtqJOAKKBN2NfvTWjGDNeANwOa/VJTMrcDd8G2bwez3Mujawt+p1/Kql44 Z7bbwJmv7RlDgpt9F/+uVdERPT7vdz2s9Iaameo3dSybgtRADWrtU0/vaL4QKGpCQ2cS xUYsxBCf8MD+u2gS5N7Bl+0EYvxDKcAD9H8IU+hbF/fbQORXy4pLBQuUs9W0LKkQTMYC khOfi/huk8cnnvSxXp5VPVyI5V4RQm3whN7z5rqNIaBlqhZQgsRBwHQVHkl1OnO9s8Xh P9vQ==
X-Gm-Message-State: AOAM531F4448cxzkahl6S3PNS8LtHSteigE1GyoKep2lhpUub6ydUa3p ZR/Wlwf5b7CmIIfOr6co4xBRLK0Re+BXvw==
X-Google-Smtp-Source: ABdhPJwGycC4kpottcQwNMNwrsDDkrDL36r/EzbjDCOs1kGhtOwP+IAApLI9HVQ6DwWCHXKne20dAQ==
X-Received: by 2002:a63:e746:: with SMTP id j6mr12850547pgk.91.1617391092355; Fri, 02 Apr 2021 12:18:12 -0700 (PDT)
Received: from vibrosurface7 ( []) by with ESMTPSA id 22sm8793769pjl.31.2021. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Apr 2021 12:18:12 -0700 (PDT)
To: 'Nikos Fotiou' <>, 'oauth' <>
References: <>
In-Reply-To: <>
Date: Fri, 02 Apr 2021 12:18:10 -0700
Message-ID: <057901d727f4$ebae4850$c30ad8f0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJDbSulm5vRZLDhbd+SAlQ8zqad/anJDd9g
Content-Language: en-us
Archived-At: <>
Subject: Re: [OAUTH-WG] About JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Apr 2021 19:18:18 -0000

Hi Nikos,
Thanks for looking into this!
The profile aims at reflecting currently adopted practice as much as it is
viable, and the overwhelming majority of the use cases involving access
tokens today relies on bearer tokens.
Note: although there's no practical difference between versions in the
matter you brought up here, in general I recommend referring to the latest
draft: we are currently on version 12

-----Original Message-----
From: OAuth <> On Behalf Of Nikos Fotiou
Sent: Thursday, April 1, 2021 12:11 PM
To: oauth <>
Subject: [OAUTH-WG] About JSON Web Token (JWT) Profile for OAuth 2.0 Access

By reading this draft
( I got the
impression that it implies using JWTs as bearer tokens, e.g., it does
consider any of the semantics defined in RFC7800. Is this correct? If yes
what was the rational behind this design choice?

Thanks a lot,

Nikos Fotiou - Researcher - Mobile
Multimedia Laboratory Athens University of Economics and Business