Re: [OAUTH-WG] JWT - scope claim missing
Brian Campbell <bcampbell@pingidentity.com> Thu, 28 February 2013 16:45 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D42F821F8996 for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 08:45:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.903
X-Spam-Level:
X-Spam-Status: No, score=-5.903 tagged_above=-999 required=5 tests=[AWL=0.073, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l3gBswWXDB8C for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 08:45:02 -0800 (PST)
Received: from na3sys009aog133.obsmtp.com (na3sys009aog133.obsmtp.com [74.125.149.82]) by ietfa.amsl.com (Postfix) with ESMTP id C84F521F886A for <oauth@ietf.org>; Thu, 28 Feb 2013 08:44:52 -0800 (PST)
Received: from mail-ie0-f199.google.com ([209.85.223.199]) (using TLSv1) by na3sys009aob133.postini.com ([74.125.148.12]) with SMTP ID DSNKUS+JhEy4pqJq3WkgpyFR4Vj8VqO540Se@postini.com; Thu, 28 Feb 2013 08:44:52 PST
Received: by mail-ie0-f199.google.com with SMTP id c13so12605736ieb.2 for <oauth@ietf.org>; Thu, 28 Feb 2013 08:44:51 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=w4xU3WDta08Wu7itTzvqp+4weI7hczo1UQ5ra0S0zas=; b=euEB6rtFqhbh0sYCwXc6tXu82ElmOlM8WbwZxOV9N9wCnn/bp2m4P6DzUoeX059GQB RC3PE9YRSHDd5iUabLHakWrBx8EbK0JIgPPFQTOHFUKzXUoMbhyNLfqgWCw1lygIeMdD m5vwr9jknlVhpy6HIG1CK1u2GgwCJ258y8HAHz8hdngH0M888jLprlvuhkQREHqVPqU+ WNIQPfq3isVL17x8YBv5z1Db4JlCwKJvuTe9AFgrKmE59yuXPiEkOnR28N9ualGkNOpy TKZj+yLDZiukeztUFwjHwAshFwnTb/tb1mIugD4+gdtzr+0fHUjlhAlMPtBLihwHEuhb tyIA==
X-Received: by 10.42.30.132 with SMTP id v4mr3687424icc.34.1362069891576; Thu, 28 Feb 2013 08:44:51 -0800 (PST)
X-Received: by 10.42.30.132 with SMTP id v4mr3687415icc.34.1362069891435; Thu, 28 Feb 2013 08:44:51 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.32.106 with HTTP; Thu, 28 Feb 2013 08:44:21 -0800 (PST)
In-Reply-To: <CA6A6425-D0CE-469F-B51E-9F296DA8041C@oracle.com>
References: <0EC2404F-E3C5-4AD1-88B4-E74AA0394DD9@gmx.net> <C75E4871-E907-4EF7-BAF0-9D1A172D581B@ve7jtb.com> <CA6A6425-D0CE-469F-B51E-9F296DA8041C@oracle.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 28 Feb 2013 09:44:21 -0700
Message-ID: <CA+k3eCREgN+6z+U=jjJcPo0nZVR0GWn5zXeecZRO+rg=xd-gZg@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="20cf301d420e09fbbf04d6cb9c9d"
X-Gm-Message-State: ALoCoQk3QYqSBmpM4AUGCTLWPGyzvSo84tkW4wWNjMv1/V9h+ZY5KYtSqww5Sk0YYxKuSgt1soOtdd5ZOiIIs6zWSpMrfxqFHXc0Agl0lX6gnzIzJKvMslgtigApTk2XUkxt+5bdCMDC
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT - scope claim missing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2013 16:45:11 -0000
I think John's point was more that scope is something rather specific to an OAuth access token and, while JWT is can be used to represent an access token, it's not the only application of JWT. The 'standard' claims in JWT are those that are believed (right or wrong) to be widely applicable across different applications of JWT. One could argue about it but scope is probably not one of those. It would probably make sense to try and build a profile of JWT specifically for OAuth access tokens (though I suspect there are some turtles and dragons in there), which might be the appropriate place to define/register a scope claim. On Thu, Feb 28, 2013 at 9:24 AM, Phil Hunt <phil.hunt@oracle.com> wrote: > Are you advocating TWO systems? That seems like a bad choice. > > I would rather fix scope than go to a two system approach. > > Phil > > Sent from my phone. > > On 2013-02-28, at 8:17, John Bradley <ve7jtb@ve7jtb.com> wrote: > > > While scope is one method that a AS could communicate authorization to a > RS, it is not the only or perhaps even the most likely one. > > Using scope requires a relatively tight binding between the RS and AS, > UMA uses a different mechanism that describes finer grained operations. > > The AS may include roles, user, or other more abstract claims that the > the client may (god help them) pass on to EXCML for processing. > > > > While having a scopes claim is possible, like any other claim it is not > part of the JWT core security processing claims, and needs to be defined by > extension. > > > > John B. > > On 2013-02-28, at 2:29 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> > wrote: > > > >> Hi Mike, > >> > >> when I worked on the MAC specification I noticed that the JWT does not > have a claim for the scope. I believe that this would be needed to allow > the resource server to verify whether the scope the authorization server > authorized is indeed what the client is asking for. > >> > >> Ciao > >> Hannes > >> > >> _______________________________________________ > >> OAuth mailing list > >> OAuth@ietf.org > >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- [OAUTH-WG] JWT - scope claim missing Hannes Tschofenig
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Hannes Tschofenig
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Justin Richer
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Justin Richer
- Re: [OAUTH-WG] JWT - scope claim missing Mike Jones
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing prateek mishra
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Mike Jones
- Re: [OAUTH-WG] JWT - scope claim missing Nat Sakimura
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Nat Sakimura
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Eve Maler
- Re: [OAUTH-WG] JWT - scope claim missing Richer, Justin P.
- Re: [OAUTH-WG] JWT - scope claim missing prateek mishra