[OAUTH-WG] OAuth2 2 legged flows with JWT client assertions
George Fletcher <gffletch@aol.com> Tue, 15 September 2015 18:10 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 027831A8A52 for <oauth@ietfa.amsl.com>; Tue, 15 Sep 2015 11:10:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.791
X-Spam-Level:
X-Spam-Status: No, score=0.791 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kx1XOpx66fzr for <oauth@ietfa.amsl.com>; Tue, 15 Sep 2015 11:10:01 -0700 (PDT)
Received: from omr-a018e.mx.aol.com (omr-a018e.mx.aol.com [204.29.186.64]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ED311A8A77 for <oauth@ietf.org>; Tue, 15 Sep 2015 11:10:01 -0700 (PDT)
Received: from mtaout-aan02.mx.aol.com (mtaout-aan02.mx.aol.com [172.27.19.78]) by omr-a018e.mx.aol.com (Outbound Mail Relay) with ESMTP id 4507C3800050; Tue, 15 Sep 2015 14:10:00 -0400 (EDT)
Received: from [10.172.164.44] (unknown [10.172.164.44]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-aan02.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 824163800008D; Tue, 15 Sep 2015 14:09:59 -0400 (EDT)
To: "oauth@ietf.org" <oauth@ietf.org>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <55F85EF5.5080609@aol.com>
Date: Tue, 15 Sep 2015 14:09:57 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------090203060506080106070004"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1442340600; bh=LEl6bt6YJk+Irt8gvYhxQyoZJtMAGdR2iOE44rgKESE=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=w722fxOstxtDnXVt34NHM3jnfyXxmhPt36rGocHKGnICGC8KpUxPKghEhcvWpmxuO YZyL/RgSOwiPs7tLGZEuD8IFyNEopqhVP3a4li+KQZxRhIdJ5JOW/+UPlIE2tFuck9 5hBPR9ChBG/5v0KwXzhsWLEFlnEHkedZGAg95LzQ=
x-aol-sid: 3039ac1b134e55f85ef70060
X-AOL-IP: 10.172.164.44
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/mZAsQ4-gecbCKPD-q3_-lLA7et0>
Subject: [OAUTH-WG] OAuth2 2 legged flows with JWT client assertions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2015 18:10:03 -0000
Hi, I just want to verify my reading of RFC 7523[1] for the use case where a client wants to get an access token for itself to use as authorization for future API calls. This is effectively exchanging a JWS for a "short lived" access token. My understanding of section 2.2 of RFC 7523, is that the 'client_assertion_type' and 'client_assertion' replace the default [OAuth2 (RFC 6749)] client authentication mechanism of client_id and client_secret. Therefore the correct way to implement this 2 legged flow is to use the OAuth2 (RFC 6749) client_credentials grant_type (Section 4.4) with the JWT Bearer defined client_assertion_type and client_assertion. This would look something like (line breaks added for readability) POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=client_credentials& client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer& client_assertion=<encoded JWS>& scope="myscopes" Is there a different industry standard for this use case? I'm checking as I find that multiple AS implementations do this differently:) Thanks, George [1] https://tools.ietf.org/html/rfc7523
- [OAUTH-WG] OAuth2 2 legged flows with JWT client … George Fletcher
- Re: [OAUTH-WG] OAuth2 2 legged flows with JWT cli… Justin Richer
- Re: [OAUTH-WG] OAuth2 2 legged flows with JWT cli… Brian Campbell
- Re: [OAUTH-WG] OAuth2 2 legged flows with JWT cli… George Fletcher