IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

n-sakimura <n-sakimura@nri.co.jp> Wed, 10 April 2019 13:41 UTC

Return-Path: <n-sakimura@nri.co.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 138D712030A for <oauth@ietfa.amsl.com>; Wed, 10 Apr 2019 06:41:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xw2GkjosLUZN for <oauth@ietfa.amsl.com>; Wed, 10 Apr 2019 06:41:24 -0700 (PDT)
Received: from nrifs04.index.or.jp (nrigw01.index.or.jp [133.250.250.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197BB12004A for <oauth@ietf.org>; Wed, 10 Apr 2019 06:41:23 -0700 (PDT)
Received: from nrimmfm052.index.or.jp (unknown [172.19.246.144]) by nrifs04.index.or.jp (Postfix) with ESMTP id 20A90472EE2; Wed, 10 Apr 2019 22:41:23 +0900 (JST)
Received: from index.or.jp (unknown [172.19.246.151]) by nrimmfm052.index.or.jp (Postfix) with ESMTP id 868C14E0046; Wed, 10 Apr 2019 22:41:22 +0900 (JST)
Received: from nriea04.index.or.jp (localhost.localdomain [127.0.0.1]) by pps.mf051 (8.15.0.59/8.15.0.59) with SMTP id x3ADfMls032309; Wed, 10 Apr 2019 22:41:22 +0900
Received: from nrims00b.nri.co.jp ([192.50.135.12]) by nriea04.index.or.jp with ESMTP id x3ADfMge032308; Wed, 10 Apr 2019 22:41:22 +0900
Received: from nrims00b.nri.co.jp (localhost.localdomain [127.0.0.1]) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id x3ADfPiH054454; Wed, 10 Apr 2019 22:41:25 +0900
Received: (from mailnull@localhost) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.0/Submit) id x3ADfPrH054453; Wed, 10 Apr 2019 22:41:25 +0900
X-Authentication-Warning: nrims00b.nri.co.jp: mailnull set sender to n-sakimura@nri.co.jp using -f
Received: from nrizmf15.index.or.jp ([172.100.25.24]) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id x3ADfPYT054450; Wed, 10 Apr 2019 22:41:25 +0900
Received: from CUEXE01PA.cu.nri.co.jp (192.51.23.31) by CUEXM07PA.cu.nri.co.jp (172.159.253.49) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 10 Apr 2019 22:41:20 +0900
Received: from JPN01-TY1-obe.outbound.protection.outlook.com (104.47.93.52) by ex.nri.co.jp (192.51.23.33) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 10 Apr 2019 22:41:20 +0900
Received: from TYAPR01MB4413.jpnprd01.prod.outlook.com (20.179.173.206) by TYAPR01MB2160.jpnprd01.prod.outlook.com (52.133.178.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1792.15; Wed, 10 Apr 2019 13:41:19 +0000
Received: from TYAPR01MB4413.jpnprd01.prod.outlook.com ([fe80::1dee:d017:c562:3a1e]) by TYAPR01MB4413.jpnprd01.prod.outlook.com ([fe80::1dee:d017:c562:3a1e%4]) with mapi id 15.20.1792.009; Wed, 10 Apr 2019 13:41:19 +0000
From: n-sakimura <n-sakimura@nri.co.jp>
To: Anthony Nadalin <tonynad=40microsoft.com@dmarc.ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Call for adoption: JWT Usage in OAuth2 Access Tokens
Thread-Index: AdTuLScSpXb+JyqRQxyWjNeRvoJpaABYNsSgAAUTZqA=
Date: Wed, 10 Apr 2019 13:41:19 +0000
Message-ID: <TYAPR01MB44130A50284A47FC923B0AA3F92E0@TYAPR01MB4413.jpnprd01.prod.outlook.com>
References: <AM6PR08MB36861CE2351D6922D5F8F91FFA2C0@AM6PR08MB3686.eurprd08.prod.outlook.com> <MW2PR00MB0396F840F48EFC98A28C61BCA62E0@MW2PR00MB0396.namprd00.prod.outlook.com>
In-Reply-To: <MW2PR00MB0396F840F48EFC98A28C61BCA62E0@MW2PR00MB0396.namprd00.prod.outlook.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailadviser: 20170719
authentication-results: spf=none (sender IP is ) smtp.mailfrom=n-sakimura@cu.nri.co.jp;
x-originating-ip: [121.119.131.2]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b9a0b510-a75f-4ac4-db90-08d6bdba3686
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(7193020); SRVR:TYAPR01MB2160;
x-ms-traffictypediagnostic: TYAPR01MB2160:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <TYAPR01MB21600A2A2592AEEC9FD77F63F92E0@TYAPR01MB2160.jpnprd01.prod.outlook.com>
x-forefront-prvs: 00032065B2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39850400004)(136003)(366004)(376002)(396003)(53754006)(199004)(189003)(13464003)(40434004)(68736007)(105586002)(106356001)(2501003)(86362001)(11346002)(446003)(476003)(99286004)(66066001)(45080400002)(486006)(478600001)(76176011)(229853002)(46636005)(966005)(14454004)(7696005)(6436002)(102836004)(6506007)(74482002)(186003)(71190400001)(53546011)(97736004)(71200400001)(26005)(33656002)(5660300002)(2906002)(110136005)(14444005)(6116002)(256004)(3846002)(5024004)(305945005)(53936002)(6246003)(316002)(6306002)(7736002)(55016002)(25786009)(8676002)(52536014)(81166006)(9686003)(8936002)(81156014)(74316002); DIR:OUT; SFP:1102; SCL:1; SRVR:TYAPR01MB2160; H:TYAPR01MB4413.jpnprd01.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: cu.nri.co.jp does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: pJI99W9C1PTEtvYYHBvbZH8WA7lBWt7HiuvllNpVMxpIDc31hiOh/zISdML1TcZlGF05ouapvNYDaxCQAqwXGnDylYpWSw4QB8GhZek1S1R0hHn+z1qa1h1tAsGAqsN8pjiIYYPkUpy3AbJKlMPlM7fBu60w6/1p6zxKgJo/ikrHwl6paelbm5Au+R+iA7CYdJ5dEuBDOgO9lAEMa/HNNXx9KP0klJfv5/HBoEeYt+YayDe+A7dXnUWp5GVB8GVvE8oDhzCm49YaO7txGTYI1zzwQTr/khqgwkwEYUZTF+9SrI0YYdPTNBFs53XdIXLTCAzV1IhrayHLtsdqowqEFCJu1+duimuO20Gj0luLIVCAfisePI32wug1gCabr7YPyqSAZwMucfE36VTnFUZufkFMAOQcJc8oUUft9371GkY=
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b9a0b510-a75f-4ac4-db90-08d6bdba3686
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Apr 2019 13:41:19.5458 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e3e360d9-7e7f-48d5-ac33-3c5de61f0a75
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYAPR01MB2160
X-OrganizationHeadersPreserved: TYAPR01MB2160.jpnprd01.prod.outlook.com
X-CrossPremisesHeadersPromoted: CUEXE01PA.cu.nri.co.jp
X-CrossPremisesHeadersFiltered: CUEXE01PA.cu.nri.co.jp
X-OriginatorOrg: cu.nri.co.jp
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_jCMcjYVYGSlSEMKX3uu2dShtW4>
Subject: Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2019 13:41:27 -0000

+1 

For that matter, explicit typing is good and I am a bit ambivalent on the use of `sub`. 

Also, I need to add the 4th consideration: Although the current privacy consideration is stating about the encryption, it is in relation to the end user exposure. In fact, the by-value access token when involving some PII is by definition leaking information and violating the data minimization principle. This should be clearly delineated. My gut feeling is that it should be encrypted unless it is certain that it does not include sensitive PII as judging whether a claim may form a PII is too hard for an average developer. 

-----Original Message-----
From: OAuth <oauth-bounces@ietf.org> On Behalf Of Anthony Nadalin
Sent: Wednesday, April 10, 2019 8:12 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; oauth@ietf.org
Subject: Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

I support adoption of this draft as a working group document with the following caveats:

1. These are not to be used as ID Tokens/authentication tokens 2. The privacy issues must be addressed 3. Needs to be extensible, much like ID-Token, can't be 100% fixed 


-----Original Message-----
From: OAuth <oauth-bounces@ietf.org> On Behalf Of Hannes Tschofenig
Sent: Monday, April 8, 2019 10:07 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

Hi all,

this is the call for adoption of the 'JWT Usage in OAuth2 Access Tokens'  document following the positive feedback at the last IETF meeting in Prague.

Here is the document:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-bertocci-oauth-access-token-jwt-00&amp;data=02%7C01%7Ctonynad%40microsoft.com%7Ca3d9527e05364fa8578b08d6bc44b170%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636903400616347061&amp;sdata=ePmwaD%2FHCRZhRx%2FwZbb3U72%2FhBalPoFPKtQ67QTxIRw%3D&amp;reserved=0

Please let us know by April 22nd whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group.

Ciao
Hannes & Rifaat

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7Ctonynad%40microsoft.com%7Ca3d9527e05364fa8578b08d6bc44b170%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636903400616357060&amp;sdata=zcxw1IR3kNbuZ9u58OOJDv9pLb7cUCooDtlIUH7tS%2Fw%3D&amp;reserved=0

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email