Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Jared Jennings <> Tue, 12 May 2020 03:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BE0653A0966 for <>; Mon, 11 May 2020 20:14:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 40QOjkKX1K9N for <>; Mon, 11 May 2020 20:14:34 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7F6A03A0956 for <>; Mon, 11 May 2020 20:14:34 -0700 (PDT)
Received: by with SMTP id b6so11124301qkh.11 for <>; Mon, 11 May 2020 20:14:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=c5Ur1ziVec+PQhHOPVN+H7zAfE5c0d7iHp5C0Kjo2qY=; b=GookgpnyZoZlnR98mSjxzWGZt9TAMaxknZ/OVN0drF5b6QCP4mi9nd7G+iknS8gp7H y3V32AlpFzY9BI9Adyeh9ps1rZR37dwQvx2Qe4WmsaAOJ6oCiItlo02dJgsxzEfdlQlO ZLvaudw1bmaMH/SJNZzdXL1WJYNrBR0mAdFALn2y4a5Lb/tboS2i6m9jYIPnmNGVnpra eavG/n98pja3FHZlDgzgkEsplu/7x6O2E/mMRXW9ZRI5AEkCqwm0zLP0TzxwqWILHQYL ezV8vi/2R9K5C9nf6KuPt1PZmdil4RljE2n962dpSxgg2qECWhJP6yRNVsePZFo9tpwP qkTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=c5Ur1ziVec+PQhHOPVN+H7zAfE5c0d7iHp5C0Kjo2qY=; b=VsTkhJUD4aT0P8SW2Cp+0mibi7huYL4Xg8PaKifhPD3R14E6IXv8uNvz2lRcW7f4vY 1xjHdUjMPcZ8OrzwrtvtOCa27f5nMRGv2cztinZr2StXXg3gFCk8N07KHJuOZaoVGFW3 UHFGCpmc2u8WCJvh4MvNYFbkQfWwebyEr8YqVvu1pMUcWATHumhLsJeWL4eRVe9XprSC k1O2deZa5O3hVqTnbHeoHNO8wcN0ycss9YXZTuH1D1A4Px58jwkKoigMZ2E2FLhsr4Tj cyL9Wy6c3sols5xOS7liGZYy1OuXtT7SApKKbapFB8SF+BzSCLBFMQ7CHeax0hAB5n/z i9NQ==
X-Gm-Message-State: AGi0PuaJCEf2D62dFIFp0s34cuE3my3VBa/LnDsyOjCfL7UpjEWNBqax uO22W+AXXF3UWFtu1qXqO2g=
X-Google-Smtp-Source: APiQypLxdkGmVxZzjFMCK+DcUPhlIXxtWgnwrVoxN30X+RU26yD2f92n1/XJsCa6oTLyZyAKoggx9Q==
X-Received: by 2002:a37:dc6:: with SMTP id 189mr7653213qkn.279.1589253273152; Mon, 11 May 2020 20:14:33 -0700 (PDT)
Received: from jareds-mbp-2.lan ([]) by with ESMTPSA id j36sm10462643qta.71.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 May 2020 20:14:32 -0700 (PDT)
From: Jared Jennings <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_19CF74DC-52E5-4C24-A6A6-DD9E6F26F168"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Mon, 11 May 2020 22:14:30 -0500
In-Reply-To: <>
Cc: Denis <>, Benjamin Kaduk <>, "" <>
To: Vittorio Bertocci <>
References: <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 May 2020 03:14:37 -0000

Hi Vittorio,

Yeah, this does make a bit of sense. So, the goal is to guide implementors from making bad choices, not from a security perspective. Meaning, it's not a security risk that a client does inspect or analyze the token. Instead, it's is an interop issue and thus we are guiding implementors to never assume or expect the token format to be consistent or of a expected format, for various reasons. I kinda know the answer to this question, but I am kinda asking this way to help restate the intent of the "topic" and maybe help guide to a wording that works for everyone.

For example, as a consultant, it can be very helpful to know how to decompile or inspect an "Object", but at the same time knowing that such a method or practice should never be used in production.


> On May 11, 2020, at 19:24, Vittorio Bertocci <> wrote:
> Real world scenarios are full of situations where additional assumptions can lower dangers that must be taken in consideration in the general case, which might make less of a risk going against the specin those particular circumstances, but their existence doesn’t warrant relaxing guidance for the general case. A concrete example: I worked on scenarios where resource servers wanted to guarantee some degree of business continuity in case of AS outage, which boiled down to RS’ willingness to accept ATs past their declared expiration time, on the condition that the AS outage condition was detectable and the staleness of the AT didn’t cross a tolerance threshold. The business scenario made sense, and the implementer was within their right in deciding that disregarding exp in those circumstances was acceptable. Nonetheless, I would not argue that given the existence of that scenario, rfc7519 should turn its MUST NOT into a SHOULD NOT.