Re: [OAUTH-WG] Proposed URN for JWT token type: urn:ietf:params:oauth:token-type:jwt

Mike Jones <Michael.Jones@microsoft.com> Wed, 02 May 2012 00:39 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5714421E8093 for <oauth@ietfa.amsl.com>; Tue, 1 May 2012 17:39:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.412
X-Spam-Level:
X-Spam-Status: No, score=-5.412 tagged_above=-999 required=5 tests=[AWL=1.187, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vw4spn97Ymar for <oauth@ietfa.amsl.com>; Tue, 1 May 2012 17:39:37 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe004.messaging.microsoft.com [65.55.88.14]) by ietfa.amsl.com (Postfix) with ESMTP id 5145421F8A57 for <oauth@ietf.org>; Tue, 1 May 2012 17:39:37 -0700 (PDT)
Received: from mail163-tx2-R.bigfish.com (10.9.14.242) by TX2EHSOBE010.bigfish.com (10.9.40.30) with Microsoft SMTP Server id 14.1.225.23; Wed, 2 May 2012 00:39:29 +0000
Received: from mail163-tx2 (localhost [127.0.0.1]) by mail163-tx2-R.bigfish.com (Postfix) with ESMTP id 3E9764004EE; Wed, 2 May 2012 00:39:29 +0000 (UTC)
X-SpamScore: -37
X-BigFish: VS-37(zz9371I542M1432N1418I98dK4015Izz1202hzz8275ch1033IL8275bh8275dhz2fh2a8h668h839hd25h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail163-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC102.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail163-tx2 (localhost.localdomain [127.0.0.1]) by mail163-tx2 (MessageSwitch) id 1335919166596968_6867; Wed, 2 May 2012 00:39:26 +0000 (UTC)
Received: from TX2EHSMHS023.bigfish.com (unknown [10.9.14.249]) by mail163-tx2.bigfish.com (Postfix) with ESMTP id 8CD1420054; Wed, 2 May 2012 00:39:26 +0000 (UTC)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS023.bigfish.com (10.9.99.123) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 2 May 2012 00:39:26 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.73]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.02.0298.005; Wed, 2 May 2012 00:39:25 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [OAUTH-WG] Proposed URN for JWT token type: urn:ietf:params:oauth:token-type:jwt
Thread-Index: AQHNJ/HkxYAdLJwMtk6eA3CrB25uIJa1o2Vw
Date: Wed, 2 May 2012 00:39:24 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943664A4AF4@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B1680429673943664A485A@TK5EX14MBXC284.redmond.corp.microsoft.com> <CA+k3eCR7krjyGLmaHrutoq8_xKTMFwug-1q+VhO4Nk6gwtTpjQ@mail.gmail.com>
In-Reply-To: <CA+k3eCR7krjyGLmaHrutoq8_xKTMFwug-1q+VhO4Nk6gwtTpjQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.32]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proposed URN for JWT token type: urn:ietf:params:oauth:token-type:jwt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2012 00:39:38 -0000

I understand what you're saying, but I still believe that the URN is the correct one.

While I agree that the potential for confusion is unfortunate, context will actually successfully differentiate the two uses of similar terms.  Bear in mind that the OAuth usage of the term is actually short for "Access Token Type" (see OAuth Core sections 8.1 and 11.1), whereas the URN above is to provide a type identifier for a particular kind of security token.

I also believe that the examples in the Bearer spec (see http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-19#section-4), the MAC spec (see http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01#section-5.1), and the JWT spec will make the uses of these terms clear to implementers in context.

				-- Mike

-----Original Message-----
From: Brian Campbell [mailto:bcampbell@pingidentity.com] 
Sent: Tuesday, May 01, 2012 4:26 PM
To: Mike Jones
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Proposed URN for JWT token type: urn:ietf:params:oauth:token-type:jwt

The only concern I might raise with it is that use of the "token-type"
part might lead to some confusion. The term token type and the parameter token_type are already pretty loaded and have specific meaning from the core OAuth framework:
http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-7.1

That token type is about providing "the client with the information required to successfully utilize the access token to make a protected resource request" (i.e. mac and bearer) and is not about the structure of the token itself which is what this URI seems to want to describe.
JWTs are usually thought of as bearer type tokens but might someday have HoK (http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20120430/001860.html)
or mac like constructs.

I don't think there's really a problem with name collisions here but I think that the current use of token type in the frame work spec is already the cause of some confusion and I'd hate to exacerbate that.

On Tue, May 1, 2012 at 5:04 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> I'm editing the JWT spec to prepare for the OAuth WG version and to 
> track changes in the JOSE specs.  Currently the "typ" values defined 
> for JWT tokens are "JWT" and "http://openid.net/specs/jwt/1.0" (see 
> http://tools.ietf.org/html/draft-jones-json-web-token-08#section-5).  
> I believe that the URN value should be changed to use a URN taken from 
> the OAuth URN namespace urn:ietf:params:oauth (defined in 
> http://tools.ietf.org/html/draft-ietf-oauth-urn-sub-ns-02).
>
>
>
> I propose to use the URN:
>
>                urn:ietf:params:oauth:token-type:jwt
>
>
>
> I believe this fits well with the other four uses of this namespace to date:
>
>                urn:ietf:params:oauth:grant-type:saml2-bearer
>
>                
> urn:ietf:params:oauth:client-assertion-type:saml2-bearer
>
>                urn:ietf:params:oauth:grant-type:jwt-bearer
>
>                urn:ietf:params:oauth:client-assertion-type:jwt-bearer
>
>
>
> (The first two are from
> http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-11.  The 
> latter two are from 
> http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-04.)
>
>
>
> Do people agree with this URN choice?
>
>
>
>                                                             Thanks,
>
>                                                             -- Mike
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>