Re: [OAUTH-WG] DPoP JWT claims
Dick Hardt <dick.hardt@gmail.com> Thu, 16 June 2022 22:29 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC983C15AACA for <oauth@ietfa.amsl.com>; Thu, 16 Jun 2022 15:29:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gMMktP71RCy5 for <oauth@ietfa.amsl.com>; Thu, 16 Jun 2022 15:29:50 -0700 (PDT)
Received: from mail-oa1-x2c.google.com (mail-oa1-x2c.google.com [IPv6:2001:4860:4864:20::2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B952C14CF18 for <oauth@ietf.org>; Thu, 16 Jun 2022 15:29:50 -0700 (PDT)
Received: by mail-oa1-x2c.google.com with SMTP id 586e51a60fabf-1011df6971aso3572365fac.1 for <oauth@ietf.org>; Thu, 16 Jun 2022 15:29:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=UwILFyO3zEQzEmII66gEAClN5GL9ptuqL2VSVrdRy3s=; b=WAJnMntbyUN2gTj4PhHheRJj5SbhK6GqzidSXe3HEF/F4ccaNqW3H6msaCgk44mQP5 huvc2tdj1BGWknWg9vYBsNdKU9CnMb5oRf5f+OrKrvwd1cuOu+vNAKwHkOdZ0qRzL13d jrTMCczYTH3QQC9aiADmw8GVVp0CZgd+Gt+Lo0YFMK6U6ysAMiFwGDykEnx8i3zXJ46s XAxmnxiN1o2G8iBpE95MQX4aqAmoxc13jIbEfbNLs0gV+qfumud9QNK5UEHqYBseH6ct OavIBgkVGoiTlXnA5FZhehnMrEXL+CELxzFQ1i83vwT9ARLoqcO+HNsUkFXXgJ+HRGOT hO+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=UwILFyO3zEQzEmII66gEAClN5GL9ptuqL2VSVrdRy3s=; b=qL8bqsqDCstAdYrs70bMHondVJ5YUrjrJzpbjZJZ2yXxgH6U8QEiP3IuIePK0Tcw5S l/+OA3nX6aUWuzFWIGJP+9geOPJ2pZouHe371dS4xya1VzvS3fmTd4FOeanB3iKMLURN ZrPH+K51g2kgsRWcLF9ALcy+E1/M1tkr+gGUkDL9lcp+Tgk4TbSC6vlU9PnOZKZWeXFS gtWWV2zCOaGMvpBeiAjh/VldO9RnY/6j34WZwRxR/xTAFg2lBlF3IAo5MYO3Wh83kCYz 3e3zty49xmvzIIlmSRZDKfmemrD5W8YMx7xVoOso0M1XSW12RwMn+4f+Ao9nY0/GplrZ Bl2w==
X-Gm-Message-State: AJIora+baaT5dVccPXWmUuJTma+LyNyppWHA56xYkBL0uaNLe8BKp4lx /2cHU03IwbeP1qXLtAsNIEolPi5rWrtEPxgscYCmmMFTgO0=
X-Google-Smtp-Source: AGRyM1tjhdnQFpza7q79EwlvRpnhBM6B0xcvC6wOmuOV9JNv9lcVNrtybTISQLXme6Z7xkDSjrXAHUFA//wI5HFCFlo=
X-Received: by 2002:a05:6870:a410:b0:f1:b21a:a160 with SMTP id m16-20020a056870a41000b000f1b21aa160mr9459251oal.162.1655418588431; Thu, 16 Jun 2022 15:29:48 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-siSJZ-8OUFhHKdWY=ZT7r=6GaBAu8LWBs3J4BoqTCtqQ@mail.gmail.com> <86DAF05C-BB10-49AA-8B1B-E19E8A410624@forgerock.com>
In-Reply-To: <86DAF05C-BB10-49AA-8B1B-E19E8A410624@forgerock.com>
Reply-To: Dick.Hardt@gmail.com
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 16 Jun 2022 15:29:37 -0700
Message-ID: <CAD9ie-vB3vAMqF3-XQCnuTo9dOcFKw9ch6uLa5pSp7ezN2D8Wg@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000eb094505e1982cb9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nPKvG03IQB711JAa4_nBWbXt9eg>
Subject: Re: [OAUTH-WG] DPoP JWT claims
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2022 22:29:53 -0000
I guess it is not true in practice … and now I’m going to have go look at the DPoP usage … On Thu, Jun 16, 2022 at 2:32 PM Neil Madden <neil.madden@forgerock.com> wrote: > Is that actually true? The DPoP spec itself is a case in point: it reuses > the existing OIDC “nonce” claim but explicitly says that DPoP nonces are > not like OIDC nonces (section 9): > > “ Developers should also take care to not > > confuse DPoP nonces with the OpenID Connect [OpenID.Core <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#ref-OpenID.Core>] ID Token > nonce.” > > > The official IANA registration of “nonce” says: > > > Value used to associate a Client session with an ID Token > > > Does this matter? If not, does it matter if some other spec defines a “htm” claim with different meaning? > > > On 16 Jun 2022, at 20:50, Dick Hardt <dick.hardt@gmail.com> wrote: > > > > Registering the names provides clarity on use and avoids confusion on the > meaning of a claim — ie two specs won’t have conflicting definitions of > “htm” > > On Thu, Jun 16, 2022 at 10:20 AM Warren Parad <wparad= > 40rhosys.ch@dmarc.ietf.org> wrote: > >> I think the registration really helps with discovery, especially as an >> implementer. When you see or observe these claims in a JWT, you can google >> them potentially returning no results. If you know about the IANA registry >> you can find them, even if you don't know that the tokens have anything to >> do with DPoP. >> >> On Thu, Jun 16, 2022 at 6:21 PM Neil Madden <neil.madden@forgerock.com> >> wrote: >> >>> The DPoP spec registers the “htm”, “htu”, and “ath” claims [1]. But do >>> these claims actually make sense outside of a DPoP proof? Presumably the >>> risk of naming collision within a DPoP proof is pretty small, so is there >>> any benefit to registering them rather than just using them as private >>> claims? >>> >>> (I guess I could ask the same question about lots of other entries in >>> the current registry at IANA, many of which look completely app-specific to >>> me). >>> >>> [1]: >>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-12.7 >>> >>> >>> — Neil >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >
- [OAUTH-WG] DPoP JWT claims Neil Madden
- Re: [OAUTH-WG] DPoP JWT claims Warren Parad
- Re: [OAUTH-WG] DPoP JWT claims Dick Hardt
- Re: [OAUTH-WG] DPoP JWT claims Neil Madden
- Re: [OAUTH-WG] DPoP JWT claims Brian Campbell
- Re: [OAUTH-WG] DPoP JWT claims Dick Hardt
- Re: [OAUTH-WG] DPoP JWT claims Benjamin Kaduk
- Re: [OAUTH-WG] DPoP JWT claims Brian Campbell