[OAUTH-WG] draft-ietf-oauth-jwsreq-21

Brock Allen <brockallen@gmail.com> Thu, 07 May 2020 13:32 UTC

Return-Path: <brockallen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 122513A083A for <oauth@ietfa.amsl.com>; Thu, 7 May 2020 06:32:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 85E9aPDDxWA3 for <oauth@ietfa.amsl.com>; Thu, 7 May 2020 06:32:15 -0700 (PDT)
Received: from mail-qv1-xf33.google.com (mail-qv1-xf33.google.com [IPv6:2607:f8b0:4864:20::f33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 106153A0834 for <oauth@ietf.org>; Thu, 7 May 2020 06:32:15 -0700 (PDT)
Received: by mail-qv1-xf33.google.com with SMTP id r3so202133qvm.1 for <oauth@ietf.org>; Thu, 07 May 2020 06:32:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:date:message-id:subject:from:to:user-agent; bh=wdIqVQWb4u5Fh/Cg0wbclNNCNAccyYAw1dlHzLe+aQo=; b=cYICLet49gY05k09j5SS2+xjqkzyG2HZotIZLHGqFMiB5Q+cQ04XUNlwmIypb41Nrx RyDVomanu2iJbb2bkaxmXNz4uohJUFfC3nlMR4eael+lQaC0EJCxASj9BpyEPuCZj9mD WRvn7bRuDj95ealMFB8B0RWN42nxleymEr4udkqL3x1TF/K6U6lAM4cduRfP/3tiLWZe cvsPPQH5Us7hD5DOVRqruLlR2HsEPG2YXGtygMtKpuz+K9D/TB++LCMqGWrRfT8liVqn OqtUrkJBpGg/R9GxqjaJsfox7JH+wdQImV8SxYDXFJRvy+pIYgI9yvD+b3305/zUORM7 46Vw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :user-agent; bh=wdIqVQWb4u5Fh/Cg0wbclNNCNAccyYAw1dlHzLe+aQo=; b=XYs9le0/tKFl5EvB29VNXMf7ThJrrLK2w9WksraqxMZ1Hzbx6VutsET6zsQJsTbxaF 4XvVK7HGfC9hilYOoGawcxxRfmGU/hfBMK6hiGFc7zv9Yv8cgLAYk/4iRAp1aZDa28vO PJOcviPnUgojvwXffWP6yvHpMTkVTWiSfZcY2VbuxrXSKN3nJlwSJvxTfuIlpT+HLutJ sXlpJGQTDI7VirZ/9/9po7d6KnNzn5hCSDGlTECLqlw/Hbf71mPhwjIqAe9iXm9tlWUc yr0aYtaBDzGHjBYzs/js5AxYlY7QOlc39JZT4gKm1DYvR0l/QoLg1dz7WlvQoSnWtJ7z TltA==
X-Gm-Message-State: AGi0PuZQAW/CMSdDtlzEYc+jGg1iht8tDqpwE4OJUA/rpKvE+EiZPonX HVWiJd/eJe1W0lheY6UztQFvgJTmgxc=
X-Google-Smtp-Source: APiQypKBMHwYWSQB5Fa57iXfGLGH9wFPd5US83SltCSYnL2iy1JiIRvZ28KTxcP5UZaC6YNnQ5xzNQ==
X-Received: by 2002:a0c:facb:: with SMTP id p11mr13457294qvo.17.1588858333626; Thu, 07 May 2020 06:32:13 -0700 (PDT)
Received: from [10.0.1.2] (pool-74-103-207-160.prvdri.ftas.verizon.net. [74.103.207.160]) by smtp.gmail.com with ESMTPSA id h6sm4110155qtd.79.2020.05.07.06.32.12 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 May 2020 06:32:13 -0700 (PDT)
Content-Type: multipart/alternative; boundary="----=_NextPart_5717593.051899211264"
MIME-Version: 1.0
Date: Thu, 07 May 2020 09:32:13 -0400
Message-ID: <Mailbird-635821db-1f3a-4def-b157-a92bb7dddcdf@gmail.com>
From: "Brock Allen" <brockallen@gmail.com>
To: "" <oauth@ietf.org>
User-Agent: Mailbird/2.8.5.0
X-Mailbird-ID: Mailbird-635821db-1f3a-4def-b157-a92bb7dddcdf@gmail.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pDdIdrQihLUAADqyY90TLga8W5c>
Subject: [OAUTH-WG] draft-ietf-oauth-jwsreq-21
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2020 13:32:18 -0000

Perhaps quite late, but a few comments/questions related to this:

1) When decoded, all the JWT samples are missing the "typ" claim from the header, which I think should be "oauth.authz.req+jwt".

2) When validating the JAR if we are to validate the "typ" then this would be incompatible with OIDC's request object, I think?

3) When the JAR is passed by reference, then the HTTP response Content-Type of "application/oauth.authz.req+jwt" would also seem to break or be incompatible with OIDC's request object passed by reference?

There might need to be clarification when mixing this w/ an OIDC OP implementation. 

TIA

-Brock