[OAUTH-WG] OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution nitpicking
Antonio Sanso <asanso@adobe.com> Thu, 13 November 2014 10:59 UTC
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 914DF1A6FEE for <oauth@ietfa.amsl.com>; Thu, 13 Nov 2014 02:59:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AUrAotgz727j for <oauth@ietfa.amsl.com>; Thu, 13 Nov 2014 02:59:23 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0604.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::604]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4A0F1A6FFF for <oauth@ietf.org>; Thu, 13 Nov 2014 02:59:22 -0800 (PST)
Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB208.namprd02.prod.outlook.com (10.242.165.150) with Microsoft SMTP Server (TLS) id 15.1.16.15; Thu, 13 Nov 2014 10:58:58 +0000
Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.224]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.224]) with mapi id 15.01.0016.006; Thu, 13 Nov 2014 10:58:58 +0000
From: Antonio Sanso <asanso@adobe.com>
To: OAuth WG <oauth@ietf.org>
Thread-Topic: OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution nitpicking
Thread-Index: AQHP/zDS7qAbUTMlFUWe8KP0OkV0JQ==
Date: Thu, 13 Nov 2014 10:58:57 +0000
Message-ID: <77D02F4C-4C5D-4A9A-870E-6EEEA92CC745@adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.147.117.11]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:CO1PR02MB208;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:CO1PR02MB208;
x-forefront-prvs: 0394259C80
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(189002)(199003)(2656002)(36756003)(106116001)(106356001)(229853001)(107046002)(95666004)(87936001)(99286002)(97736003)(86362001)(92566001)(66066001)(105586002)(83716003)(230783001)(107886001)(31966008)(575784001)(20776003)(33656002)(64706001)(46102003)(122556002)(92726001)(15975445006)(54356999)(19580395003)(40100003)(4396001)(50986999)(21056001)(450100001)(77156002)(101416001)(62966003)(82746002)(110136001)(99396003)(120916001)(77096003)(104396001); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR02MB208; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <FE51508C7394F746A72388B7B7954B79@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/e6u9S61ARLkowTKq9NIhm6mn9x8
Subject: [OAUTH-WG] OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution nitpicking
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Nov 2014 10:59:28 -0000
hi *.
AFAIU the access token in the Client-to-AS Response is not “forced” to be JWT format but can also be an opaque string.
Now the example rather says:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"access_token":"SlAV32hkKG ...
(remainder of JWT omitted for brevity;
JWT contains JWK in the cnf claim)",
"token_type":"pop",
"expires_in":3600,
"refresh_token":"8xLOxBtZp8",
"key":"eyJhbGciOiJSU0ExXzUi ...
(remainder of plain JWK omitted for brevity)"
}
now IMHO this is a bird odd cause
access_token":"SlAV32hkKG ...
(remainder of JWT omitted for brevity;
JWT contains JWK in the cnf claim)
so either is not a JWT and "remainder of JWT omitted… should be removed or SlAV32hkKG should look like a JWT (and it is not the case at the moment :))
regards
antonio
[0] https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-00#section-4.2
- [OAUTH-WG] OAuth 2.0 Proof-of-Possession: Authori… Antonio Sanso
- Re: [OAUTH-WG] OAuth 2.0 Proof-of-Possession: Aut… Justin Richer