Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
Denis <denis.ietf@free.fr> Thu, 14 May 2020 15:29 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE4DB3A0BA5 for <oauth@ietfa.amsl.com>; Thu, 14 May 2020 08:29:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.496
X-Spam-Level:
X-Spam-Status: No, score=-1.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.4, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G67h-7WS39nP for <oauth@ietfa.amsl.com>; Thu, 14 May 2020 08:29:10 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp02.smtpout.orange.fr [80.12.242.124]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA5B53A07C5 for <oauth@ietf.org>; Thu, 14 May 2020 08:29:09 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d55 with ME id efV62201C4FMSmm03fV7pg; Thu, 14 May 2020 17:29:07 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Thu, 14 May 2020 17:29:07 +0200
X-ME-IP: 86.238.65.197
To: Vittorio@auth0.com
Cc: oauth@ietf.org
References: <CADNypP8t4oVUpoqOFhb-Aft-5C4Z2F9O2vBxh6QxmkHrWkN_gw@mail.gmail.com> <7cf781ef-67c9-eddd-3076-403e59e371bc@free.fr> <CAO_FVe6+xY35_NjZuW=qJDgbwK_HfSP_JbvXco4Kt1TLsKF7tg@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <97a76ac8-766a-ca79-a0a1-0d5893ee3fd2@free.fr>
Date: Thu, 14 May 2020 17:29:06 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <CAO_FVe6+xY35_NjZuW=qJDgbwK_HfSP_JbvXco4Kt1TLsKF7tg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------85D0D26396AFC0A13C52081C"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cVRVxZ0Mxxt_tMkM_66CWnnFqr8>
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 15:29:13 -0000
Hi Vittorio, I raised the following question: In the future, if additional parameters are included in the request, will the "sub" claim necessarily be present in the access token ? The answer to this question does not seem to be present in the draft. Would you be able to provide an answer ? Denis > Denis, the change you mentioned is basically a typo, which I did fix > but did not publish a new draft for- that doesn’t change the substance > of the consensus (and is something that will be fixed in the > subsequent phases of the process). > Whether the sub should be mandatory has been discussed for two reasons: > > - as a way of distinguishing whether the token was obtained on behalf > of a user or an application identity, by omitting it in the latter > case. We had extensive discussions following IETF105 and concluded > that not enough people were interested in that scenario. I kept that > discussion open for a long time. > - for privacy concerns. Those has been debated and your position > failed to gather momentum. > > Some of the recent discussions on sub didn’t pick up on the > discussions above and didn’t bring new arguments that weren’t already > debated. Nonetheless I did my best to provide context and pointer to > the past discussions when answering the concerns. In other words, > those discussions didn’t appear to change the consensus achieved on > the matter. We have 3 last calls, I don’t think the chairs changed the > status of the document lightly. > > > > On Thu, May 14, 2020 at 07:29 Denis <denis.ietf@free.fr > <mailto:denis.ietf@free.fr>> wrote: > > The current version of this draft is > "draft-ietf-oauth-access-token-jwt-07" issued on April the 27 th. > > This means that comments sent later on on the list have not been > incorporated in this draft. > In particular, this one sent on April the 28 th: > > *1) *The title of this spec. is: > > JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens > > So, this spec. is supposed to be targeted to OAuth *2.0. * > > However, the header at the top of the page omits to mention it. > > Currently, it is : > > Internet-Draft OAuth Access Token JWT Profile April 2020 > > It should rather be: > > Internet-Draft OAuth *2.0* Access Token JWT Profile > April 2020 > > It has been acknowledged by Vittorio on April, the 29 th: > > /> The title of this spec./ > > Fixed, thanks! > > This means that the draft document currently available on the IETF > server is not reflecting the agreed comments. > > Since then, I questioned myself how a client would be able to > request an access token that would be > *strictly compliant with this Profile*. > > For doing this exercise, I took a look at section 3 on pages 6 to > 8. To summarize my findings: > > * the request MAY include a "resource" parameter. If the request > does not include a "resource" parameter, > the authorization server MUST use in the "aud" claim a default > resource indicator. > * the request MAY include "scope" parameter. If a "scope" > parameter is present in the request, > the authorization server SHOULD use it to infer the value of > the default resource indicator to be used in the "aud" claim. > > It seems to mean that if the request includes no "resource" > parameter and no "scope" parameter, the access token will necessarily > include the "sub" claim. > > If in the request, there would be present a parameter meaning "I > want a token compliant with *this OAuth 2.0 profile*", > then there would be no problem, but this is not the case. > > In the future, if additional parameters are included in the > request, will the "sub" claim necessarily be present in the access > token ? > If yes, this may be a privacy concern. > > On the list there have been requirements for not making the "sub" > parameter mandatory. > > This point needs to be addressed and solved one way or another. > > > Denis > >> All, >> >> Based on the 3rd WGLC, we believe that we have consensus to move >> this document forward. >> https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/ >> >> We will be working on the shepherd write-up and then submit the >> document to the IESG soon. >> >> Regards, >> Rifaat & Hannes >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Steinar Noem
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Vittorio Bertocci
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Janak Amarasena
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis