IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up)

Mike Jones <Michael.Jones@microsoft.com> Fri, 25 April 2014 20:19 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06FC01A06A9 for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 13:19:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OihQryBZQ5nJ for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 13:19:26 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0140.outbound.protection.outlook.com [207.46.163.140]) by ietfa.amsl.com (Postfix) with ESMTP id 63F141A06A1 for <oauth@ietf.org>; Fri, 25 Apr 2014 13:19:26 -0700 (PDT)
Received: from BLUPR03CA036.namprd03.prod.outlook.com (10.141.30.29) by BN1PR03MB250.namprd03.prod.outlook.com (10.255.200.16) with Microsoft SMTP Server (TLS) id 15.0.921.12; Fri, 25 Apr 2014 20:19:18 +0000
Received: from BL2FFO11FD034.protection.gbl (2a01:111:f400:7c09::120) by BLUPR03CA036.outlook.office365.com (2a01:111:e400:879::29) with Microsoft SMTP Server (TLS) id 15.0.921.12 via Frontend Transport; Fri, 25 Apr 2014 20:19:18 +0000
Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD034.mail.protection.outlook.com (10.173.161.130) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Fri, 25 Apr 2014 20:19:17 +0000
Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0174.002; Fri, 25 Apr 2014 20:18:23 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>, Bill Burke <bburke@redhat.com>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up)
Thread-Index: AQHPYLiWCPtQeI+RDEaVTJpQcIUadZsivgyAgAAFwACAAAEnwA==
Date: Fri, 25 Apr 2014 20:18:22 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439A196778@TK5EX14MBXC288.redmond.corp.microsoft.com>
References: <CA+k3eCTeBZNh8-dhtkjbCJdJ6PfciZQNQOznJj+jdik6Z6Detw@mail.gmail.com> <535ABCBF.3090308@redhat.com> <CA+k3eCTzXS=aP8BQz2KL=0xht9wwtUEVwjgoYRjfmpy-n4HVuA@mail.gmail.com>
In-Reply-To: <CA+k3eCTzXS=aP8BQz2KL=0xht9wwtUEVwjgoYRjfmpy-n4HVuA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.74]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A196778TK5EX14MBXC288r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(24454002)(52314003)(377454003)(479174003)(189002)(199002)(54356999)(31966008)(76176999)(92726001)(81342001)(4396001)(19300405004)(85852003)(99396002)(512874002)(92566001)(74662001)(87936001)(86612001)(50986999)(71186001)(66066001)(77982001)(16236675002)(6806004)(83322001)(97736001)(80022001)(81542001)(55846006)(2009001)(79102001)(33656001)(2656002)(86362001)(19580405001)(44976005)(16601075003)(20776003)(84326002)(19580395003)(74502001)(15975445006)(46102001)(84676001)(16297215004)(80976001)(15202345003)(76482001)(83072002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN1PR03MB250; H:mail.microsoft.com; FPR:AC20F0B6.BEFAD7DB.72CF7DBB.4EC6FA41.203FC; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0192E812EC
Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/qDg9sl3PExXlQzEQr0MvrWwqjWI
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 20:19:30 -0000

To be clear, access tokens are opaque in OAuth and I don’t see any of us trying to change that in the general case.  Particular authorization servers may use JWTs as an access token format, but that’s their private choice.  I know of other authorization servers that have the access token value be an index into a local database table, which is just as legitimate a choice as using a structured access token.

                                                                -- Mike

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Campbell
Sent: Friday, April 25, 2014 1:12 PM
To: Bill Burke
Cc: oauth
Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up)

I think it is kind of assumed, yeah. And JWT as it is gives you everything you need for that as long as the AS and RS can agree on keys, JWE and/or JWS, and how the claims will look. I suspect that's what most deployments are doing with JWT access tokens today. We are, or offer JWS + JWT access tokens as an option in product anyway, and I believe many others are doing the same.
IHMO getting everyone to agree on the specific claims etc. needed for a standardized JWT access token is a bit of a rat's nest, which is why there's not been much progress in that area.




On Fri, Apr 25, 2014 at 1:51 PM, Bill Burke <bburke@redhat.com<mailto:bburke@redhat.com>> wrote:
Thank you.  Thats what I thought.  Is it just assumed JWT would/might be used an access token format for Bearer token auth?  Or is there another draft somewhere for that?  Is anybody out there using JWS + JWT as a access token format?


On 4/25/2014 2:59 PM, Brian Campbell wrote:
draft-ietf-oauth-jwt-bearer is only about interactions (client
authentication and JWT as an authorization grant) with the token
endpoint and doesn't define JWT style access tokens.


On Fri, Apr 25, 2014 at 12:51 PM, Bill Burke <bburke@redhat.com<mailto:bburke@redhat.com>
<mailto:bburke@redhat.com<mailto:bburke@redhat.com>>> wrote:

    Red Hat Keycloak [1] only supports basic auth for client
    authentication as suggested in the OAuth 2 spec.  But our access
    tokens are JWS signed JWTs.

    Does draft-ietf-oauth-jwt-bearer relate to OAuth Bearer token auth
    [2]?  Or is there another document I should be following?  I'd like
    to see what other claims are being discussed related to JWT-based
    access tokens and may have some additional access token claims we've
    been experimenting with others might be interested in.

    Also, I'm not sure yet if we'll implement
    draft-ietf-oauth-jwt-bearer to authenticate clients.  A lot of our
    initial users are more interested in public clients and/or the
    implicit flow as they are writing a lot of pure javascript apps
    served up by simple static web servers.

    [1] http://keycloak.org
    [2] http://tools.ietf.org/html/__rfc6750
    <http://tools.ietf.org/html/rfc6750>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

v2.13.0 | Report a Bug | By Email