Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
Benjamin Kaduk <kaduk@mit.edu> Thu, 21 May 2020 20:07 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B588B3A074B for <oauth@ietfa.amsl.com>; Thu, 21 May 2020 13:07:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wAUkCXyTaJ0G for <oauth@ietfa.amsl.com>; Thu, 21 May 2020 13:07:43 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 741BD3A073D for <oauth@ietf.org>; Thu, 21 May 2020 13:07:42 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 04LK7aE3009921 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 21 May 2020 16:07:38 -0400
Date: Thu, 21 May 2020 13:07:35 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Denis <denis.ietf@free.fr>
Cc: oauth@ietf.org, Vittorio Bertocci <vittorio.bertocci@auth0.com>
Message-ID: <20200521200735.GL58497@kduck.mit.edu>
References: <CADNypP8t4oVUpoqOFhb-Aft-5C4Z2F9O2vBxh6QxmkHrWkN_gw@mail.gmail.com> <7cf781ef-67c9-eddd-3076-403e59e371bc@free.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <7cf781ef-67c9-eddd-3076-403e59e371bc@free.fr>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kOnns4CdDTL3EnE5LpccZ8nZBtA>
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2020 20:07:45 -0000
On Thu, May 14, 2020 at 04:29:43PM +0200, Denis wrote: > > Since then, I questioned myself how a client would be able to request an > access token that would be > *strictly compliant with this Profile*. I don't understand why this is an interesting question to ask. The access token and interpretation thereof is (AIUI) generally seen as an internal matter between AS and RS, with the client having no need to care about the specifics. To my knowledge, this WG has not previously given guidance indicating that the client should be involved or specifics for how to do so, and I do not remember seeing WG agreement that this should change. -Ben
- [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Steinar Noem
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Vittorio Bertocci
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Janak Amarasena
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Benjamin Kaduk
- Re: [OAUTH-WG] JSON Web Token (JWT) Profile for O… Denis