Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Filip Skokan <> Tue, 24 March 2020 09:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2F6423A11AD for <>; Tue, 24 Mar 2020 02:31:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id stTF_3C_DkfT for <>; Tue, 24 Mar 2020 02:31:50 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::b2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 095C23A11AC for <>; Tue, 24 Mar 2020 02:31:49 -0700 (PDT)
Received: by with SMTP id d5so8773286ybs.8 for <>; Tue, 24 Mar 2020 02:31:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iMp9cuwvGk56sTRW6CRBeGqCFS/5QjhRX15v0tXSy0A=; b=sYo0cYyfx7BrA2k+PiNfYHZFlv9saleL55CtXUz1u6n27v0XbYS5D8qfRdAN3SbuC7 R2qjBRmOxrwg0OiTw0dcUATo8xay6k6jxAXvSSKsOxM4uvb2nrMdLhqO3h7wE3RxXZN7 DwS13kUlWQOzGehqUEKGH8hImcFVUnMFMryVMugcY5/bld++Zj1O9FitVko90Ihhqs1J jSwN4OyZl0ZNdzWvO9dR32tLPwxDEuIhx6x+6ApAgy3vMrC82ZdcYcVD0CjiV+9QaafD NdYw2LwX74h/KnOW/P4vJRB+BVyTX3ZfCSOvEPckRYHCtg1bKaUzBvLZtuj+kh4LOEEe PEuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iMp9cuwvGk56sTRW6CRBeGqCFS/5QjhRX15v0tXSy0A=; b=fWZ6bbfl4Rg8emygcAPh+gfwRNhpHmtObb3uQ3rcRmbSsXugNJHGy0phIVsmMhsz2a mHccckc1uReqGcNgckqeRuV9iqjJrEWnYN0Iv8lZ9BbaJJ5FtIhLpevPuserEkVbhuKN fqToeQU/h8UdKXzA3G6RlCgTBj45yRqQ9rs8srSn+fq1utSQXzd9SXH4FNXkOSMNLiwr RYKL7vjlm9gLssFr6xzPBD2DT/x/AwtyCKHe2q65e5uU3TLG81V94lzeF6qtyHPz97LJ IqJoroKTbI1tZJ/SRNNRmHbd9yVNP4AT7QSao9FWSZHCOscKL9WFb+LmCd1/U+FAnhwx tuWw==
X-Gm-Message-State: ANhLgQ10DrOsBMY7DPIAEmM5/kTeKYUsdtkCdG2KQu7ZS9ajTqXDhaUu uTw0MvF0Fzws9tLj4ZxSPKfeInXe6dqfkWDd0glkleM=
X-Google-Smtp-Source: ADFU+vshIIoxt/Fy4awwdkKS4zfuPiFEbLvmgn2snog7LPqpOoIuIgwsVMz3ar61WewuiUAJ92b6jFT1j9/sJhlXqS4=
X-Received: by 2002:a25:8246:: with SMTP id d6mr32394318ybn.427.1585042308867; Tue, 24 Mar 2020 02:31:48 -0700 (PDT)
MIME-Version: 1.0
References: <> <01ec01d6017c$162eb2e0$428c18a0$> <>
In-Reply-To: <>
From: Filip Skokan <>
Date: Tue, 24 Mar 2020 10:31:12 +0100
Message-ID: <>
To: Takahiko Kawasaki <>
Cc: oauth <>
Content-Type: multipart/alternative; boundary="000000000000c62e5805a1966bd9"
Archived-At: <>
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Mar 2020 09:31:52 -0000

Ad 1) the language is tricky but it does not say forbid the client from
sending in two resource values to the authorization endpoint, it says that
when access token is issued (i.e. the authorization_code grant at the token
endpoint) one of the granted resource values must be part of the request or
default to end up with an access token with a single audience. A resulting
refresh token contains all granted resource values. I don't see this as a
conflict but rather further profiling.

Ad 2) I disagree with making `aud` optional.

S pozdravem,
*Filip Skokan*

On Tue, 24 Mar 2020 at 07:48, Takahiko Kawasaki <> wrote:

> (1)
> The requirement in the paragraph below excerpted from "3. Requesting a JWT
> Access Token":
> *If it receives a request for an access token containing more than one
> resource parameter, an authorization server issuing JWT access tokens MUST
> reject the request and fail with "invalid_request" as described in section
> of [RFC6749] or with "invalid_target" as defined in section 2 of
> [RFC8707].  See Section 2.2 and Section 5 for more details on how this
> measure ensures there's no confusion on to what resource the access token
> granted scopes apply.*
> apparently conflicts with RFC 8707. I'm afraid vendors that support RFC
> 8707 won't support this draft unless the requirement is loosened, for
> example from MUST to SHOULD.
> (2)
> Regarding another paragraph shown below from the same section.
> *If the request does not include a resource parameter, the authorization
> server MUST use in the aud claim a default resource indicator.  If a scope
> parameter is present in the request, the authorization server SHOULD use it
> to infer the value of the default resource indicator to be used in the aud
> claim.  The mechanism through which scopes are associated to default
> resource indicator values is outside the scope of this specification.  If
> the values in the scope parameter refer to different default resource
> indicator values, the authorization server SHOULD reject the request with
> invalid_scope as described in section of [RFC6749].*
> The rule described here whereby to determine the default value of the
> "aud" claim is unintelligible. In addition, I don't think the rule
> referring to the "scope" parameter is worth being defined. That "aud" is
> missing but "scope" is available is enough for resource servers. In other
> words, if "aud" is determined based on the "scope", why do we have to set
> "aud" redundantly?
> Requiring the "aud" as a MUST claim is the reason that this draft has to
> introduce philosophy about "aud" that may conflict with other
> specifications and may not be supported by all implementers. I would
> suggest changing "REQUIRED" to "OPTIONAL".
> Best Regards,
> Takahiko Kawasaki
> Authlete, Inc.
> On Tue, Mar 24, 2020 at 10:32 AM Nikos Fotiou <> wrote:
>> Hi all,
>> Allow me some comments and forgive me if some of them are naïve.
>> - In Section 2.2 why nbf claim (
>> <> is not considered?
>> I can imagine some interesting applications of this claim.
>> - In the same section, it is not clear why some claims are required,
>> especially exp, sub, and client_id. The last two claims are not even used
>> during token validation.
>> - RFC7519 specifies that, in the general case, the aud claim is an array
>> of StringOrURI values. In this draft it is not clear if this still the
>> case, or here aud is a simple string (e.g., in page 5 it is stated: the
>> resource indicated in the aud claim, rather than the resource*s*).
>> - In the token validation procedure, i.e., Section 4, is there any reason
>> why the resource server first checks the aud claim, then the signature, and
>> finally the exp claim? Given the fact that Error responses are not
>> specified, returning something like “invalid aud claim” even for tokens
>> with invalid signature may result in privacy/security attacks.
>> - IMHO The token validation procedure it too bound to the particular
>> discovery mechanisms mentioned at the beginning of this section. E.g., Step
>> 2 mentions a “registration” process, and Step 3 mentions and an “Issuer
>> Identifier” which must much the iss claim. Moreover, I think it should be
>> explicitly mentioned that the resource server “must validate that the JWT
>> access token has been singed with a signing key that corresponds to the
>> authorization server included in the iss claim”
>> Best,
>> Nikos
>> *From:* OAuth < <>> *On
>> Behalf Of *Hannes Tschofenig
>> *Sent:* Monday, March 23, 2020 11:18 PM
>> *To:* oauth <>
>> *Subject:* [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth
>> 2.0 Access Tokens"
>> Hi all,
>> this is a working group last call for "JSON Web Token (JWT) Profile for
>> OAuth 2.0 Access Tokens".
>> Here is the document:
>> Please send you comments to the OAuth mailing list by April 6, 2020.
>> Ciao
>> Hannes & Rifaat
>> IMPORTANT NOTICE: The contents of this email and any attachments are
>> confidential and may also be privileged. If you are not the intended
>> recipient, please notify the sender immediately and do not disclose the
>> contents to any other person, use it for any purpose, or store or copy the
>> information in any medium. Thank you.
>> _______________________________________________
>> OAuth mailing list
> _______________________________________________
> OAuth mailing list