Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
Aaron Parecki <aaron@parecki.com> Thu, 16 April 2020 19:09 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C9483A0DA7 for <oauth@ietfa.amsl.com>; Thu, 16 Apr 2020 12:09:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QQOB-3sea1Gz for <oauth@ietfa.amsl.com>; Thu, 16 Apr 2020 12:08:58 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F9643A0D9F for <oauth@ietf.org>; Thu, 16 Apr 2020 12:08:58 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id n10so22235937iom.3 for <oauth@ietf.org>; Thu, 16 Apr 2020 12:08:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=G/1l/Mp0R59Le6EBfxIJMJmpiRA9qMbVfXqcIcDOUgA=; b=GYq1hpBLGD43tuNHLyV97Uy7h0r5gUGLG9lNhRavIQIhPbQtJZAh3BxXwQB1droApe 6afK/V/aGpIr11/4HxMYRRbLovZXV2QytdjRRN2W4MAy5zQXi8KNIiEKFoKU5NG5YHjR yskLBVqrCSVVeJDfRmJxwldmpgF1GUdXBdIDxC2d5KvXgbNM5RDVhpyg6sJFk0pzQV4T e9rwj3I7NxtYMxVeWSe1FM7n3R+5k8yttOuIZ6lASPIczgZkT6fEAXKGOS4Ns9Twf1p0 xScHHhTI8ICmMmgns6gMKlq5Ifnc3XBTSFMqToWgcgykeoBVoCR/wktWpYB5kPxJW4z3 LWyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=G/1l/Mp0R59Le6EBfxIJMJmpiRA9qMbVfXqcIcDOUgA=; b=qs5VnrzNcY6hzM+xPTEyHbz4hQHmqUOrt8vxfxF7Q8gqgXRnZsHDuvd+a1vtGMA+CE egLk6oqJOu1dlyZGufeCylzIUKXv7P/ejgNUbp9VbwlCBC04Kts3+JGOJvj6BKMmm8D/ C4n7Oien3Rz9XNewsJzrXutaL+bc48GAvNoWSq6EY1ZDnFdfbEnk/zliAmlpejIgbnEC SsX11EYBpDVhK64WvngUcsarkBUmCVa/sS1kl2cFiJMD5mKXzzz2qq1B2GrxQqgMnS+F 1EUBkcVufjNpdxqmJomoeCbT/vvyfuedfKKs7sxVOdE6jnIoN9BPrGdgYp6Jnx0ZBSLx 7KDw==
X-Gm-Message-State: AGi0PuZzsd1fp4KdmgGRABPUaIqw3k4rP9U471d7g8nB1sfqQpySYAV8 6O6Sp10AvWxkvueZw/ivWBpUe9amxOE=
X-Google-Smtp-Source: APiQypI/Q7O7uxkYNjURz6Z5h9zJi7aux8FzrBgRSspHmVRDDF83KGoPTxBQBE/fwX7K8YHDfNZA0w==
X-Received: by 2002:a05:6638:22a:: with SMTP id f10mr32621935jaq.59.1587064136624; Thu, 16 Apr 2020 12:08:56 -0700 (PDT)
Received: from mail-io1-f53.google.com (mail-io1-f53.google.com. [209.85.166.53]) by smtp.gmail.com with ESMTPSA id h13sm6569320iom.39.2020.04.16.12.08.55 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 16 Apr 2020 12:08:55 -0700 (PDT)
Received: by mail-io1-f53.google.com with SMTP id n10so22235807iom.3 for <oauth@ietf.org>; Thu, 16 Apr 2020 12:08:55 -0700 (PDT)
X-Received: by 2002:a02:6a1a:: with SMTP id l26mr16489287jac.122.1587064134802; Thu, 16 Apr 2020 12:08:54 -0700 (PDT)
MIME-Version: 1.0
References: <CAGL6epKuHTqLrZEjm0goKV+3jaPfTkN_JSLc0jfQyPqNzeP3aA@mail.gmail.com>
In-Reply-To: <CAGL6epKuHTqLrZEjm0goKV+3jaPfTkN_JSLc0jfQyPqNzeP3aA@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Thu, 16 Apr 2020 12:08:43 -0700
X-Gmail-Original-Message-ID: <CAGBSGjpBqeHxFNJ7OEXZwYQb=SG6ian=zpoNHezQ_OYwFNZNBw@mail.gmail.com>
Message-ID: <CAGBSGjpBqeHxFNJ7OEXZwYQb=SG6ian=zpoNHezQ_OYwFNZNBw@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fda6c305a36d2920"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/m03qAPxrfuWyNmDpwVxjBVs85js>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2020 19:09:00 -0000
Section 2.1 says: > Although JWT access tokens can use any signing algorithm, use of > asymmetric algorithms is RECOMMENDED Can this be strengthened to disallow the `none` algorithm? Something like adding "... and MUST NOT use the "none" algorithm". Given that the JWT BCP doesn't disallow the "none" algorithm, technically someone could follow both this JWT Access Token spec and the JWT BCP spec and end up with an implementation that allows an AS to accept JWTs with the "none" algorithm. ---- Aaron Parecki aaronparecki.com @aaronpk <http://twitter.com/aaronpk> On Wed, Apr 15, 2020 at 11:59 AM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> wrote: > Hi all, > > > > This is a second working group last call for "JSON Web Token (JWT) Profile > for OAuth 2.0 Access Tokens". > > > > Here is the document: > > https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06 > > > > Please send your comments to the OAuth mailing list by April 29, 2020. > > > > Regards, > > Rifaat & Hannes > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) P… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Dominick Baier
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Aaron Parecki
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Brian Campbell
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Aaron Parecki
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Brian Campbell
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… David Waite
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Dominick Baier
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Philippe De Ryck
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Dominick Baier
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… vittorio.bertocci
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… vittorio.bertocci
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… vittorio.bertocci
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Dominick Baier
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Vittorio Bertocci
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Dominick Baier
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Mike Jones
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Vittorio Bertocci
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Vittorio Bertocci
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Takahiko Kawasaki
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Takahiko Kawasaki
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Vittorio Bertocci
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Takahiko Kawasaki
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Vittorio Bertocci
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Benjamin Kaduk
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Vittorio Bertocci
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Brian Campbell
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Vittorio Bertocci
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Denis
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Vittorio Bertocci
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Denis
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Benjamin Kaduk
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Denis
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Benjamin Kaduk
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Denis
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Jared Jennings
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Vittorio Bertocci
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Jared Jennings
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Vittorio Bertocci
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Denis
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Manger, James
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Denis
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Manger, James
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Denis
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Hannes Tschofenig
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Denis
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Hannes Tschofenig
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Phillip Hunt
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Denis
- Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JW… Denis