Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
Denis <denis.ietf@free.fr> Thu, 14 May 2020 15:29 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE4DB3A0BA5 for <oauth@ietfa.amsl.com>; Thu, 14 May 2020 08:29:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.496
X-Spam-Level:
X-Spam-Status: No, score=-1.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.4, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G67h-7WS39nP for <oauth@ietfa.amsl.com>; Thu, 14 May 2020 08:29:10 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp02.smtpout.orange.fr [80.12.242.124]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA5B53A07C5 for <oauth@ietf.org>; Thu, 14 May 2020 08:29:09 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d55 with ME id efV62201C4FMSmm03fV7pg; Thu, 14 May 2020 17:29:07 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Thu, 14 May 2020 17:29:07 +0200
X-ME-IP: 86.238.65.197
To: Vittorio@auth0.com
Cc: oauth@ietf.org
References: <CADNypP8t4oVUpoqOFhb-Aft-5C4Z2F9O2vBxh6QxmkHrWkN_gw@mail.gmail.com> <7cf781ef-67c9-eddd-3076-403e59e371bc@free.fr> <CAO_FVe6+xY35_NjZuW=qJDgbwK_HfSP_JbvXco4Kt1TLsKF7tg@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <97a76ac8-766a-ca79-a0a1-0d5893ee3fd2@free.fr>
Date: Thu, 14 May 2020 17:29:06 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <CAO_FVe6+xY35_NjZuW=qJDgbwK_HfSP_JbvXco4Kt1TLsKF7tg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------85D0D26396AFC0A13C52081C"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cVRVxZ0Mxxt_tMkM_66CWnnFqr8>
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 15:29:13 -0000
Hi Vittorio,
I raised the following question:
In the future, if additional parameters are included in the request,
will the "sub" claim necessarily be present in the access token ?
The answer to this question does not seem to be present in the draft.
Would you be able to provide an answer ?
Denis
> Denis, the change you mentioned is basically a typo, which I did fix
> but did not publish a new draft for- that doesn’t change the substance
> of the consensus (and is something that will be fixed in the
> subsequent phases of the process).
> Whether the sub should be mandatory has been discussed for two reasons:
>
> - as a way of distinguishing whether the token was obtained on behalf
> of a user or an application identity, by omitting it in the latter
> case. We had extensive discussions following IETF105 and concluded
> that not enough people were interested in that scenario. I kept that
> discussion open for a long time.
> - for privacy concerns. Those has been debated and your position
> failed to gather momentum.
>
> Some of the recent discussions on sub didn’t pick up on the
> discussions above and didn’t bring new arguments that weren’t already
> debated. Nonetheless I did my best to provide context and pointer to
> the past discussions when answering the concerns. In other words,
> those discussions didn’t appear to change the consensus achieved on
> the matter. We have 3 last calls, I don’t think the chairs changed the
> status of the document lightly.
>
>
>
> On Thu, May 14, 2020 at 07:29 Denis <denis.ietf@free.fr
> <mailto:denis.ietf@free.fr>> wrote:
>
> The current version of this draft is
> "draft-ietf-oauth-access-token-jwt-07" issued on April the 27 th.
>
> This means that comments sent later on on the list have not been
> incorporated in this draft.
> In particular, this one sent on April the 28 th:
>
> *1) *The title of this spec. is:
>
> JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
>
> So, this spec. is supposed to be targeted to OAuth *2.0. *
>
> However, the header at the top of the page omits to mention it.
>
> Currently, it is :
>
> Internet-Draft OAuth Access Token JWT Profile April 2020
>
> It should rather be:
>
> Internet-Draft OAuth *2.0* Access Token JWT Profile
> April 2020
>
> It has been acknowledged by Vittorio on April, the 29 th:
>
> /> The title of this spec./
>
> Fixed, thanks!
>
> This means that the draft document currently available on the IETF
> server is not reflecting the agreed comments.
>
> Since then, I questioned myself how a client would be able to
> request an access token that would be
> *strictly compliant with this Profile*.
>
> For doing this exercise, I took a look at section 3 on pages 6 to
> 8. To summarize my findings:
>
> * the request MAY include a "resource" parameter. If the request
> does not include a "resource" parameter,
> the authorization server MUST use in the "aud" claim a default
> resource indicator.
> * the request MAY include "scope" parameter. If a "scope"
> parameter is present in the request,
> the authorization server SHOULD use it to infer the value of
> the default resource indicator to be used in the "aud" claim.
>
> It seems to mean that if the request includes no "resource"
> parameter and no "scope" parameter, the access token will necessarily
> include the "sub" claim.
>
> If in the request, there would be present a parameter meaning "I
> want a token compliant with *this OAuth 2.0 profile*",
> then there would be no problem, but this is not the case.
>
> In the future, if additional parameters are included in the
> request, will the "sub" claim necessarily be present in the access
> token ?
> If yes, this may be a privacy concern.
>
> On the list there have been requirements for not making the "sub"
> parameter mandatory.
>
> This point needs to be addressed and solved one way or another.
>
>
> Denis
>
>> All,
>>
>> Based on the 3rd WGLC, we believe that we have consensus to move
>> this document forward.
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/
>>
>> We will be working on the shepherd write-up and then submit the
>> document to the IESG soon.
>>
>> Regards,
>> Rifaat & Hannes
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
- [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Steinar Noem
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Vittorio Bertocci
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Janak Amarasena
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis