Re: [OAUTH-WG] DPoP JWT claims
Warren Parad <wparad@rhosys.ch> Thu, 16 June 2022 17:20 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3A24C157B37 for <oauth@ietfa.amsl.com>; Thu, 16 Jun 2022 10:20:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JdHjEYnxWrRo for <oauth@ietfa.amsl.com>; Thu, 16 Jun 2022 10:20:10 -0700 (PDT)
Received: from mail-yw1-x112d.google.com (mail-yw1-x112d.google.com [IPv6:2607:f8b0:4864:20::112d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D207C14F722 for <oauth@ietf.org>; Thu, 16 Jun 2022 10:20:10 -0700 (PDT)
Received: by mail-yw1-x112d.google.com with SMTP id 00721157ae682-30fdbe7467cso20440287b3.1 for <oauth@ietf.org>; Thu, 16 Jun 2022 10:20:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BgQ9FqxCRQy3UAWccPqR1bhLr6DPLMae3GV//hncnxo=; b=FABtQMKuMSQ0XLY3As/0IxsEEmHkrTI1WrRCkx7lbIBuAcqT38H48FaFe74ssy2HZH vsydaY4Uhzi8mATf7uxEkCCS0R6ZjQNbliR+aqMkWfQTKq6yxteHiKfIgexAU4Na0Og7 z561CinBXQg/Bf/HUvfJxBP0X6CMcQsa+eeEtGvgy3JOn4WgvWmEsWRPwDtZF5E4DLrZ z7rFyw+ORive2Ltfw5sNYmKSQlJHLlelDMP+7tqyrsZAFvfZoIt/NRKb8G9bnipUbMMP scNq7cy083mjqhiaXLIA4ZIEr+fIu09Vv3h4a4Jzm/DR8KfZA9sdb60cZGKFIjSLvVFQ Z2KA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BgQ9FqxCRQy3UAWccPqR1bhLr6DPLMae3GV//hncnxo=; b=JF9QaLMlbZ+YkvK0jZcNLMjbh157LqnEqZ9+OaH/FcNq7laIazJVcJxHWMg27fU1Xm umFPea654hNGcjYlsNylvKxzAxHGSdwKb42ZmSjElTd3vYeLh6MMdZzNfewO3HZYciia UO2thp6qHK1wSt3NcV+RHFUMcT4IMO5rLK4uPzjBTqllcx4UNBFbaE1R0MtOHCJZJRLv w3jo2binXFhE6jrmokZh81v94QLKm002svJBD9TxmmUYYhBtXnRxWe4QyQ898F/dJxFO Jl1jAsiDW6xaAasUE7eFcPoU8OKcS76JhuCwknFTz9diN6O8e0HPdHtv04jwGZhef66u +JYA==
X-Gm-Message-State: AJIora+yTtUrNQjXFttGulpGGi9YX03Vcl9qfaBdD+xszbswIYyBjDzm 9IuOJBLdVgKeWbT8kmz12nznLqAtuu00+cuAmwMH
X-Google-Smtp-Source: AGRyM1vKUMIYLMCEdQtU0Y0LMC8/9AFRnScvLCEelXqS7sV4lHu4Lk5Qr5vMgmrqzzV5QUh35UvjFhgAsgj+eePyO4Y=
X-Received: by 2002:a81:4910:0:b0:30c:962e:81e5 with SMTP id w16-20020a814910000000b0030c962e81e5mr6892406ywa.309.1655400009179; Thu, 16 Jun 2022 10:20:09 -0700 (PDT)
MIME-Version: 1.0
References: <B162D6F6-7ECD-4786-9C67-BB76B15F87F5@forgerock.com>
In-Reply-To: <B162D6F6-7ECD-4786-9C67-BB76B15F87F5@forgerock.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Thu, 16 Jun 2022 19:19:58 +0200
Message-ID: <CAJot-L1PqR4YBRTFi2760viyJ9ue489+W67dsUsTf7XNSrMj7Q@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000082388a05e193d96b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nNyM2H1bhpmj648KfD3hgfGX24U>
Subject: Re: [OAUTH-WG] DPoP JWT claims
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2022 17:20:13 -0000
I think the registration really helps with discovery, especially as an implementer. When you see or observe these claims in a JWT, you can google them potentially returning no results. If you know about the IANA registry you can find them, even if you don't know that the tokens have anything to do with DPoP. On Thu, Jun 16, 2022 at 6:21 PM Neil Madden <neil.madden@forgerock.com> wrote: > The DPoP spec registers the “htm”, “htu”, and “ath” claims [1]. But do > these claims actually make sense outside of a DPoP proof? Presumably the > risk of naming collision within a DPoP proof is pretty small, so is there > any benefit to registering them rather than just using them as private > claims? > > (I guess I could ask the same question about lots of other entries in the > current registry at IANA, many of which look completely app-specific to me). > > [1]: > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-12.7 > > — Neil > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] DPoP JWT claims Neil Madden
- Re: [OAUTH-WG] DPoP JWT claims Warren Parad
- Re: [OAUTH-WG] DPoP JWT claims Dick Hardt
- Re: [OAUTH-WG] DPoP JWT claims Neil Madden
- Re: [OAUTH-WG] DPoP JWT claims Brian Campbell
- Re: [OAUTH-WG] DPoP JWT claims Dick Hardt
- Re: [OAUTH-WG] DPoP JWT claims Benjamin Kaduk
- Re: [OAUTH-WG] DPoP JWT claims Brian Campbell