Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-04.txt

Vittorio Bertocci <> Fri, 06 March 2020 19:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B92753A0899 for <>; Fri, 6 Mar 2020 11:39:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Gwv7BRpj3tox for <>; Fri, 6 Mar 2020 11:38:59 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B42583A0895 for <>; Fri, 6 Mar 2020 11:38:59 -0800 (PST)
Received: by with SMTP id w9so3208826iob.12 for <>; Fri, 06 Mar 2020 11:38:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=3RD5nwNSrdeohyn3N0O2FVLB5Sg/VHxYu66pL86SRg4=; b=U4Reb+W/B8P8w+jurQsmVcOiYY8x5b6AgFNmLKhZ9SGt78roT0u6kg1uH8zPswCjQb swCuo2Gikb0CmLJ+xmg4l7jHbqgrrX4RmvNS6EFPxXk2bqVvHGw/eAi4cZMDroAc2CMq BGz1wmuXrSgUj79WNX0s7zc6sqQbDwWZEzm0fiISCPKbiuG1qV+Fb9MM6E0GvwGT7Doa /kOzRoIXtZQ3F+W/ZqXe4fqyYjbsMsm3HgaQc+U9o8wc7alaKlKDFs28awHiB2K9NunT S8zsyJc1AcXadZrZ7Mo8M6jDRmcNBBSgHISCWGY9YvtOvm4lYMW822ViZMrLtyiY+z7u bdcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=3RD5nwNSrdeohyn3N0O2FVLB5Sg/VHxYu66pL86SRg4=; b=Amc2co74o8dD/dzoiLDJSkIlEq81I5eWsE7aiVjGik/iKoz3NoL6rfNULBIFW8dkYg EGefFu1YBxW/va6d1itDHEXh8Lzll8accYLZ+1CebexJmpo/7qAUfVN0U7mGeGh3HOpk jTJJPMBDSCXbVEEDCoLsf7EOtLPa6AlwFMh6vsYEFl6V0JhDTb6ekS1LrHypwSiXhtdc He9X1e2ZlcIjyi3iO8Y9t/k/Ki5wrMiO2IAmiO7a1jtt3UIobSUtv3Iw2dAWqi+qI5kv mp5uXCgcMchMpagDLd5wik6SyfZ8CU/Z2crkDLexKQaVXDWlsN0AZiIGDF7SJOXsgRVV G8Sw==
X-Gm-Message-State: ANhLgQ2fFpoyny3cwR3m9bdULaUpNAQ0BYjZy49EnCOB/+yBttgmySk4 6Hu3NIC0d2QvFli5fBMp/P1K6LBzQvLz/x2fx8QVPap+2nRCXQ==
X-Google-Smtp-Source: ADFU+vtHMoFQYZ4L4mUl1WnsekqvZbVnVdILluWHo5+EmBOWmO4PNzuQ69GDBl/23OP7z8I179QOKwAqxnHh3DQvznE=
X-Received: by 2002:a02:3301:: with SMTP id c1mr4663160jae.136.1583523538536; Fri, 06 Mar 2020 11:38:58 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Vittorio Bertocci <>
Date: Fri, 06 Mar 2020 11:38:48 -0800
Message-ID: <>
To: IETF oauth WG <>
Content-Type: multipart/alternative; boundary="0000000000000228c705a034ce2d"
Archived-At: <>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-04.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 06 Mar 2020 19:39:02 -0000

Dear all,
I am still not sure if I'll have approval to travel to Vancouver and attend
IETF107 in person- but in any case, here's a new revision of the JWT AT
The main changes are all about Brian and Annabelle's feedback and
suggestions. Notable:

   o  Eliminated all the references to resource aliases list in aud that I
missed in version 3- in particular, in Sections 2 and 4.
   o  Introduced a new subsection Section 2.2.1, moved the definitions
      of auth_time, acr and amr there and incorporated the language
      proposed by Annabelle and Brian.
   o  In section Section 3 softened (from MUST to SHOULD) the
      requirement that ties the resource identifier in the request to
      the value in the aud claim of the issued access token.
   o  Updated the typ header discussion in Section 2.1 to clarify that
      it helps preventing resources from accepting id_tokens as JWT
      access tokens.
   o  Updated references to token exchange, resource indicators and JWT
      best practices to reflect their RFC status (8793,8707,8725).

For the full list of changes, please refer to the document history section.

Given the discussions we had about it, I want to highlight that the spec
doesn't contain anything about whether the client obtained the AT in
confidential or public capacity. All references about the topic were
already removed in previous versions, but given that we discussed it on the
list anyway I just want to make sure it's clear that that aspect is and
remains out of scope for this profile.

On Fri, Mar 6, 2020 at 11:37 AM <> wrote:

> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>         Title           : JSON Web Token (JWT) Profile for OAuth 2.0
> Access Tokens
>         Author          : Vittorio Bertocci
>         Filename        : draft-ietf-oauth-access-token-jwt-04.txt
>         Pages           : 17
>         Date            : 2020-03-06
> Abstract:
>    This specification defines a profile for issuing OAuth 2.0 access
>    tokens in JSON web token (JWT) format.  Authorization servers and
>    resource servers from different vendors can leverage this profile to
>    issue and consume access tokens in interoperable manner.
> The IETF datatracker status page for this draft is:
> There are also htmlized versions available at:
> A diff from the previous version is available at:
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at
> Internet-Drafts are also available by anonymous FTP at:
> _______________________________________________
> OAuth mailing list