Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12

Brian Campbell <> Wed, 18 April 2018 15:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 72E8E126BF3 for <>; Wed, 18 Apr 2018 08:17:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aL0QUSpgya_t for <>; Wed, 18 Apr 2018 08:17:49 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E4D19127337 for <>; Wed, 18 Apr 2018 08:17:48 -0700 (PDT)
Received: by with SMTP id v13-v6so2857287iob.6 for <>; Wed, 18 Apr 2018 08:17:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oRjw0BuxPrAx4QwU8Ry5zg+Cc0JfNihubN73zVhJ+ek=; b=h65SPaehDeZ86j5WqktYQSEWLD+AUtui+blQZH0CxcsMweFZ7jIxsxBvad9ExHHHs7 fRmn5QXqBLPXNspl3COaiBl/zIgVVe4Db7G+voXNJfKTYKmgDtW0PeFpbWmx/CsqVHEf khLiVSEWH5axyVyS1Wt2xzDQz+q4/9p9bNeds=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oRjw0BuxPrAx4QwU8Ry5zg+Cc0JfNihubN73zVhJ+ek=; b=cK6n+/LKubeUrvcFI4jzjIC19jnLTzgc17eDX9v2nh/bg0oCOQtF9sT9ewANLbYBAQ bjF4U2VnVcRO+WOnAsqI02vxovhy3nEn8MkTfJnuFl5Pd7a3HTS0NVjfjtFOZ9Nlpsl5 zT9YSd0jHTYQbCplUWntGpZ72GAJirFyVZBj7kog8WEH1ehf02gtRzVjuBYliWOybVUp di9htTIQjBMg3XejS7mb+7Cc312TtkOfdsmgJB83j3o3PXAe+leGcHufHV2P0ZijcZVO RQuz+9fIl1eJHtdQdcfsGN59pQTly+E1VJYOfA+VVZ+Pk25htG6wf6eO+3NXJYasBr7W 5Adw==
X-Gm-Message-State: ALQs6tBxKxTum7Ki9vNfz3MlOp1UamxknMljsm+cgaCljXO8uGSuXM33 17VaJU1bJist767g6JxwxXRBggjk/KsuFgqw9JOMSzhvaKup1jdwAEOKUXHek6ufezvzTuFU4oV QdgTa3r55tMAgAg==
X-Google-Smtp-Source: AB8JxZoiZO5QH9TkaLYH2u9Cd+B3/nrQmCosNOB+pI+BO27X49Odsqa2ktglSbIILmaxlxZF8+ROtF18XJ2DRRgOQZw=
X-Received: by 2002:a6b:1458:: with SMTP id 85-v6mr2366403iou.218.1524064667929; Wed, 18 Apr 2018 08:17:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:144a:0:0:0:0:0 with HTTP; Wed, 18 Apr 2018 08:17:17 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Brian Campbell <>
Date: Wed, 18 Apr 2018 09:17:17 -0600
Message-ID: <>
To: Torsten Lodderstedt <>
Cc: oauth <>
Content-Type: multipart/alternative; boundary="00000000000025cbcc056a20f543"
Archived-At: <>
Subject: Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Apr 2018 15:17:51 -0000

The draft-ietf-oauth-token-exchange document makes use of scope and at some
point in that work it came to light that, despite the concept of scope
being used lots of places elsewhere, there was no officially registered JWT
claim for scope. As a result, we (the WG) decided to have
draft-ietf-oauth-token-exchange define and register a JWT claim for scope.
It's kind of an awkward place for it really but that's how it came to be

When I added it to the draft, I opted for the semi-convention of JWT using
three letter short claim names. And decided to use a JSON array to convey
multiple values rather than space delimiting. It seemed like a good idea at
the time - more consistent with other JWT claim names and cleaner to use
the facilities of JSON rather than a delimited string. That was the
thinking at the time anyway and, as I recall, I asked the WG about doing it
that way at one of the meetings and there was general, if somewhat absent,
nodding in the room.

Looking at this again in the context of the question from Torsten and his
developers, I think using a different name and syntax for the JWT claim vs.
the Introspection response member/parameter/claim is probably a mistake.
While RFC 7662 Introspection response parameters aren't exactly the same as
JWT claims, they are similar in many respects. So giving consistent
treatment across them to something like scope is

Therefore I propose that the JWT claim for representing scope in
draft-ietf-oauth-token-exchange be changed to be consistent with the
treatment of scope in RFC 7662 OAuth 2.0 Token Introspection. That
effectively means changing the name from "scp" to "scope" and the value
from a JSON array to a string delimited by spaces.

I realize it's late in the process to make this change but believe doing so
will significantly reduce confusion and issues in the long run.

On Sun, Apr 15, 2018 at 10:43 AM, Torsten Lodderstedt <> wrote:

> Hi all,
> I I’m wondering why draft-ietf-oauth-token-exchange-12 defines a claim
> „scp“ to carry scope values while RFC 7591 and RFC 7662 use a claim „scope“
> for the same purpose. As far as I understand the text, the intension is to
> represent a list of RFC6749 scopes. Is this correct? What’s the rationale
> behind?
> Different claim names for representing scope values confuse people. I
> realized that when one of our developers pointed out that difference
> recently.
> best regards,
> Torsten.
> _______________________________________________
> OAuth mailing list

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._