Re: [OAUTH-WG] OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution nitpicking
Justin Richer <jricher@mit.edu> Thu, 13 November 2014 19:11 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFBAD1ACD05 for <oauth@ietfa.amsl.com>; Thu, 13 Nov 2014 11:11:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.34
X-Spam-Level:
X-Spam-Status: No, score=-2.34 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49_-ibSX-978 for <oauth@ietfa.amsl.com>; Thu, 13 Nov 2014 11:11:37 -0800 (PST)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 438991AC439 for <oauth@ietf.org>; Thu, 13 Nov 2014 11:06:14 -0800 (PST)
X-AuditID: 12074423-f799d6d00000337c-ff-546501248f42
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 54.67.13180.42105645; Thu, 13 Nov 2014 14:06:13 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id sADJ6CVq026223; Thu, 13 Nov 2014 14:06:12 -0500
Received: from dhcp-8e67.meeting.ietf.org (dhcp-8e67.meeting.ietf.org [31.133.142.103]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sADJ5wpV025547 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 13 Nov 2014 14:06:05 -0500
Content-Type: multipart/signed; boundary="Apple-Mail=_88E1C401-5B11-443A-8C8F-93D500876FF0"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <77D02F4C-4C5D-4A9A-870E-6EEEA92CC745@adobe.com>
Date: Thu, 13 Nov 2014 09:05:56 -1000
Message-Id: <D0D1F343-CBE3-46C4-B8A6-846CFE34C256@mit.edu>
References: <77D02F4C-4C5D-4A9A-870E-6EEEA92CC745@adobe.com>
To: Antonio Sanso <asanso@adobe.com>
X-Mailer: Apple Mail (2.1878.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrGKsWRmVeSWpSXmKPExsUixG6noqvKmBpi0FJtcfJCP4vFybev2ByY PKb97GH2WLLkJ1MAUxSXTUpqTmZZapG+XQJXxvdd01gLrgpX7F61jLmBcbFAFyMnh4SAiUT/ 7MWsELaYxIV769m6GLk4hARmM0lsXHYYytnIKLFp/mdWCOcMk8SHJTfBHGaBSYwSR2c8YQHp 5xUwkFiyaxMziC0sUCixdu1xsDibgKrE9DUtTCA2p4CtxOQ7B8H2sQDFH66aDlbPLCAr0Xry EjvEHCuJvQcngtUICdhITFvbB9YrIqAicfNGF9St8hIfPhxnn8AoMAvZHbOQ3DELbK62xLKF r6FsA4mnna9YIWx5ie1v50DFLSUWz7zBAmHbStzqW8AEYdtJPJq2iHUBI8cqRtmU3Crd3MTM nOLUZN3i5MS8vNQiXTO93MwSvdSU0k2M4ChxUd7B+Oeg0iFGAQ5GJR7eFywpIUKsiWXFlbmH GCU5mJREec3/AIX4kvJTKjMSizPii0pzUosPMaoA7Xq0YfUFRimWvPy8VCURXudPQHW8KYmV ValF+TBl0hwsSuK8m37whQgJpCeWpGanphakFsFkZTg4lCR4L/8HahQsSk1PrUjLzClBSDNx cB5ilODgARouxZAKNLy4IDG3ODMdIn+KUVFKnFcOpFkAJJFRmgfXC0turxjFgd4S5mUAaecB Jka47ldAg5mABn8LTwIZXJKIkJJqYDSZujG4333eUlbh384BPO+nf9M/v97n4pbQ9cGf5m2b m7XdJCLtcLqcuNeNWWpHlT8fLzq9Iawv2lPn15Yl+3+/SG5xMs+avOSL/J+a7H9K17lkPz35 2Z13v77Z6XPUbcHfb0KF0qZsvmcqtuJTzXQJNek+e9tlCueyz+54Vydv+DXz28L/CjpKLMUZ iYZazEXFiQCKKfBFSQMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/rZP557NT3xqTwiAjgFeWfQFDKa8
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution nitpicking
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Nov 2014 19:11:40 -0000
I think you’re right, the text should probably “remainder of token omitted” for the cases where it’s a non-JWT (and the key is passed from AS to RS in some other fashion) or it should start like a regular JWT in that particular example. — Justin On Nov 13, 2014, at 12:58 AM, Antonio Sanso <asanso@adobe.com> wrote: > hi *. > > AFAIU the access token in the Client-to-AS Response is not “forced” to be JWT format but can also be an opaque string. > Now the example rather says: > > HTTP/1.1 200 OK > Content-Type: application/json > Cache-Control: no-store > > { > "access_token":"SlAV32hkKG ... > (remainder of JWT omitted for brevity; > JWT contains JWK in the cnf claim)", > "token_type":"pop", > "expires_in":3600, > "refresh_token":"8xLOxBtZp8", > "key":"eyJhbGciOiJSU0ExXzUi ... > (remainder of plain JWK omitted for brevity)" > } > now IMHO this is a bird odd cause > access_token":"SlAV32hkKG ... > (remainder of JWT omitted for brevity; > JWT contains JWK in the cnf claim) > so either is not a JWT and "remainder of JWT omitted… should be removed or SlAV32hkKG should look like a JWT (and it is not the case at the moment :)) > > regards > > antonio > > [0] https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-00#section-4.2 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth 2.0 Proof-of-Possession: Authori… Antonio Sanso
- Re: [OAUTH-WG] OAuth 2.0 Proof-of-Possession: Aut… Justin Richer