Re: [OAUTH-WG] JWT Token on-behalf of Use case

Mike Jones <> Tue, 07 July 2015 19:59 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 08C3F1A8997 for <>; Tue, 7 Jul 2015 12:59:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id z3-nvKwyN4gA for <>; Tue, 7 Jul 2015 12:59:10 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fc10::780]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 42B901A8996 for <>; Tue, 7 Jul 2015 12:59:10 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 7 Jul 2015 19:59:04 +0000
Received: from ([]) by ([]) with mapi id 15.01.0213.000; Tue, 7 Jul 2015 19:59:04 +0000
From: Mike Jones <>
To: Justin Richer <>, Kathleen Moriarty <>
Thread-Topic: [OAUTH-WG] JWT Token on-behalf of Use case
Date: Tue, 7 Jul 2015 19:59:04 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;
x-originating-ip: [2001:4898:80e8:ed31::2]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:uIZBH8Cxw8NHNRtB+i982Q/JPabbnKxXsfSfXjJSEDvVQvV4g7uL+w3xpyuU095F75fRUIiG68IZSh0/TKdd7ftrSxKXTE+kK4aSigdqMn8QRDwKpTsXB+OnEgHW2rQagb/pnMjiOOxH371sNNuVBw==; 24:Zu3ylSUanXs7+5VRX38ziD4VgBTyx2T8mVGaS4289oqGQQVErBt5BulP867dQYIRjlVwVBgxArCWMbZmprX+WR9/Djd89JtXBT26O7Op8U0=; 20:7oa3K6gvbPJ8cXeqL8lhPUYJVEomZ+3VnllycDNcN0/tsDEXrkq4c8oyLJnQejtlKi7s7ZPKR3IiPIUgQih2BA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441;
by2pr03mb441: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441;
x-forefront-prvs: 0630013541
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(24454002)(377454003)(5002640100001)(5001960100002)(92566002)(99286002)(189998001)(5003600100002)(77096005)(19609705001)(46102003)(74316001)(19300405004)(19617315012)(16236675004)(93886004)(19580395003)(86612001)(62966003)(2950100001)(54356999)(2900100001)(40100003)(50986999)(76176999)(15975445007)(77156002)(2656002)(19625215002)(2171001)(102836002)(87936001)(19580405001)(86362001)(33656002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441;; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4422A0B7854AFC6CB336389F5920BY2PR03MB442namprd_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jul 2015 19:59:04.4627 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441
Archived-At: <>
Cc: "<>" <>
Subject: Re: [OAUTH-WG] JWT Token on-behalf of Use case
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Jul 2015 19:59:13 -0000

I’ll write a note later today describing how the just-published update that makes the Token Exchange draft token-type agnostic also enables it to be used in fully “OAuthy” cases – where some of the tokens used are OAuth access tokens or refresh tokens.

(Right now I’m writing up the changes made to draft-ietf-oauth-proof-of-possession, then will get to the JWK Thumbprint and Token Exchange write-ups…)

                                                                -- Mike

From: OAuth [] On Behalf Of Justin Richer
Sent: Tuesday, July 07, 2015 12:52 PM
To: Kathleen Moriarty
Cc: <>
Subject: Re: [OAUTH-WG] JWT Token on-behalf of Use case


I agree that Brian’s approach covers the use case that drove my original draft and effectively subsumes my approach.

My standing contention with the document as it stands is and has always been that it’s lacking a general syntactical approach and it isn’t very OAuth-y. I would love to see a productive conversation on this front.

 — Justin

On Jul 7, 2015, at 3:43 PM, Kathleen Moriarty <<>> wrote:

I'm just catching up on this tread, but would appreciate an in-room discussion on this topic that doesn't assume the adopted draft has the agreed upon approach as I am not reading that there is consensus on that approach in this thread at all.

Could we see presentations on Mike's draft and Brian's?  Justin, do you agree that Brian's draft covers the use case in our draft as was implied in this thread?

I'd like to see a discussion guided by the chairs to see if we can find a go-forward plan.  There seems to be differing opinions and maybe a pull towards simpler approaches that extend Oauth.

Thank you.

On Tue, Jul 7, 2015 at 3:18 PM, Sam Hartman <<>> wrote:
Speaking as someone who is reasonably familiar with Kerberos and the
general concepts involved, I find both Microsoft/Kerberos technology
((constrained delegation/protocol transition) and the ws-trust text
horribly confusing and would recommend against all of the above as
examples of clarity.
After several years I've finally gotten to a point where I understand
the Kerberos terms, but that's simply by using them regularly, not
because there was clarity.

This may be a case where new terminology is worthwhile if you can find
something that multiple people (especially new readers not overly
familiar with the concepts) find to be clear.

OAuth mailing list<>


Best regards,