Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up)
Eve Maler <eve@xmlgrrl.com> Wed, 30 April 2014 18:56 UTC
Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 229F31A0946 for <oauth@ietfa.amsl.com>; Wed, 30 Apr 2014 11:56:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.899
X-Spam-Level:
X-Spam-Status: No, score=-0.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FROM_DOMAIN_NOVOWEL=0.5, HTML_MESSAGE=0.001, URI_NOVOWEL=0.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SxL5cwOUb1Ce for <oauth@ietfa.amsl.com>; Wed, 30 Apr 2014 11:56:13 -0700 (PDT)
Received: from mail.promanage-inc.com (eliasisrael.com [50.47.36.5]) by ietfa.amsl.com (Postfix) with ESMTP id 7D2FB1A094A for <oauth@ietf.org>; Wed, 30 Apr 2014 11:56:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.promanage-inc.com (Postfix) with ESMTP id AA3EC4321ACD; Wed, 30 Apr 2014 11:56:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at promanage-inc.com
Received: from mail.promanage-inc.com ([127.0.0.1]) by localhost (greendome.promanage-inc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fF3DNs6iyvHL; Wed, 30 Apr 2014 11:56:08 -0700 (PDT)
Received: from [192.168.168.107] (unknown [192.168.168.107]) by mail.promanage-inc.com (Postfix) with ESMTPSA id C91754321A9D; Wed, 30 Apr 2014 11:56:08 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Content-Type: multipart/alternative; boundary="Apple-Mail=_0A5BF250-E3B9-4709-8380-EDEE8C91299A"
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A196778@TK5EX14MBXC288.redmond.corp.microsoft.com>
Date: Wed, 30 Apr 2014 11:55:51 -0700
Message-Id: <7482A49B-E7B2-471A-8134-54C8C711B701@xmlgrrl.com>
References: <CA+k3eCTeBZNh8-dhtkjbCJdJ6PfciZQNQOznJj+jdik6Z6Detw@mail.gmail.com> <535ABCBF.3090308@redhat.com> <CA+k3eCTzXS=aP8BQz2KL=0xht9wwtUEVwjgoYRjfmpy-n4HVuA@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439A196778@TK5EX14MBXC288.redmond.corp.microsoft.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/rn2Kxik4ubkwMReGKQaMuuB88No
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 18:56:16 -0000
I agree with Mike's point about flexibility. If OpenID Connect expects JWT and specific claim semantics, that makes sense in the context of its use case, but there are lots of other choices that can be made. For example, UMA's MTI token profile* defines a mechanism for conveying JSON-formatted permissions (à la Anil Saldhana's "entitlement" model** vs. "enforcement" for cloud authorization), and other token profiles could be created to convey JWT claims, the results of policy decisions, the applicable policies themselves, etc. Eve * http://tools.ietf.org/html/draft-hardjono-oauth-umacore-09#section-3.3.2 ** http://anil-identity.blogspot.com/2013/05/access-control-best-practices.html On 25 Apr 2014, at 1:18 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > To be clear, access tokens are opaque in OAuth and I don’t see any of us trying to change that in the general case. Particular authorization servers may use JWTs as an access token format, but that’s their private choice. I know of other authorization servers that have the access token value be an index into a local database table, which is just as legitimate a choice as using a structured access token. > > -- Mike > > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Campbell > Sent: Friday, April 25, 2014 1:12 PM > To: Bill Burke > Cc: oauth > Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up) > > I think it is kind of assumed, yeah. And JWT as it is gives you everything you need for that as long as the AS and RS can agree on keys, JWE and/or JWS, and how the claims will look. I suspect that's what most deployments are doing with JWT access tokens today. We are, or offer JWS + JWT access tokens as an option in product anyway, and I believe many others are doing the same. > > IHMO getting everyone to agree on the specific claims etc. needed for a standardized JWT access token is a bit of a rat's nest, which is why there's not been much progress in that area. > > > > > > > On Fri, Apr 25, 2014 at 1:51 PM, Bill Burke <bburke@redhat.com> wrote: > Thank you. Thats what I thought. Is it just assumed JWT would/might be used an access token format for Bearer token auth? Or is there another draft somewhere for that? Is anybody out there using JWS + JWT as a access token format? > > > On 4/25/2014 2:59 PM, Brian Campbell wrote: > draft-ietf-oauth-jwt-bearer is only about interactions (client > authentication and JWT as an authorization grant) with the token > endpoint and doesn't define JWT style access tokens. > > > On Fri, Apr 25, 2014 at 12:51 PM, Bill Burke <bburke@redhat.com > <mailto:bburke@redhat.com>> wrote: > > Red Hat Keycloak [1] only supports basic auth for client > authentication as suggested in the OAuth 2 spec. But our access > tokens are JWS signed JWTs. > > Does draft-ietf-oauth-jwt-bearer relate to OAuth Bearer token auth > [2]? Or is there another document I should be following? I'd like > to see what other claims are being discussed related to JWT-based > access tokens and may have some additional access token claims we've > been experimenting with others might be interested in. > > Also, I'm not sure yet if we'll implement > draft-ietf-oauth-jwt-bearer to authenticate clients. A lot of our > initial users are more interested in public clients and/or the > implicit flow as they are writing a lot of pure javascript apps > served up by simple static web servers. > > [1] http://keycloak.org > [2] http://tools.ietf.org/html/__rfc6750 > <http://tools.ietf.org/html/rfc6750> > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl
- [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access … Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != acc… Bill Burke
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != acc… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != acc… Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != acc… Mike Jones
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != acc… Bill Burke
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != acc… Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != acc… Mike Jones
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != acc… Eve Maler