Re: [OAUTH-WG] OAuth 2.0 Token Exchange: An STS for the REST of Us -03 announcement redux

Brian Campbell <> Thu, 07 January 2016 23:45 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 68D051A879E for <>; Thu, 7 Jan 2016 15:45:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 93KmChYOLnmR for <>; Thu, 7 Jan 2016 15:45:49 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D600C1A8792 for <>; Thu, 7 Jan 2016 15:45:47 -0800 (PST)
Received: by with SMTP id mw1so64346035igb.1 for <>; Thu, 07 Jan 2016 15:45:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=SPm+vQU4+I0zMbyw7/iAQ4lY319adkKhL/X4qSYvhTw=; b=EL6XFzHPZdsNwDemcSMaNznzAy+/R43fTRrXgskQZR7AVSqIsZ20/AsHm1t+XqBXYn CBI++fG4I/y+KZirPOSKuk12EmxgMgyhUXlYvNaFVF3/ftaxlJEbBp581TWvuE9QI1xg ruOqQ4/gCakNvzvoicdEBge/CIEoXWz85shJI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=SPm+vQU4+I0zMbyw7/iAQ4lY319adkKhL/X4qSYvhTw=; b=CF4hheG0KxNjxqI+ufwSeWfDiAhvKQIzqH4LiZBoBdyNgLjbEBIGEzeaPX7OGxvEjg z9VHjNenzcUy8ZpeHqmWPDAV438l0Ow1cjUAS4NMblciLvqcq5gqihvFjIDp8Azk2yHu 3vLRSeDuTKAFGmAtnraKRgDvIeovNZGjt8ZmSPtDB9a5yJ+pGxova6ZC3nVmf7edmFO9 YjL675BbZlKiMW9fVEn0L6QZu5hgPQdYIG0bLvUWoRqN/pNrOLuAmh5v/3pJuEOAmyhI 4AgIR2t9UvFaXmz8kcegzk3lf/qHNuP6HQzFlv8jKTUWp2L8BsLbItIEyimUP5qoGZnx pWzQ==
X-Gm-Message-State: ALoCoQkEgCk/UAB02LAwOgHhvQ+uvJbqdfM/lCh5ACWYGzLnTn8BBqtsmbdCPcEJ5AGlBMjNDrQ1TjmN+SZNkVT8Nc+Y+bYcmEf/RhX6HxgmhbVsdXRXCFQ=
X-Received: by with SMTP id jn10mr2890749igb.77.1452210347267; Thu, 07 Jan 2016 15:45:47 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Thu, 7 Jan 2016 15:45:17 -0800 (PST)
In-Reply-To: <>
References: <> <>
From: Brian Campbell <>
Date: Thu, 07 Jan 2016 16:45:17 -0700
Message-ID: <>
To: Vladimir Dzhuvinov <>
Content-Type: multipart/alternative; boundary="089e01160584e37c300528c7117e"
Archived-At: <>
Cc: oauth <>
Subject: Re: [OAUTH-WG] OAuth 2.0 Token Exchange: An STS for the REST of Us -03 announcement redux
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Jan 2016 23:45:52 -0000

Thanks for the review Vladimir, responses inline below...

On Wed, Jan 6, 2016 at 3:19 AM, Vladimir Dzhuvinov <>

> Hi Brian,
> 1. The introduction is excellent! Previous versions were lacking in this
> regard and readers were left guessing or unaware about key aspects of the
> spec and how to make use of it. Good work!

Thank you!

> 2.1. Are clients allowed to mix or include both "resource" and "audience"
> request parameters at the same time?

I'm inclined to say yes although I know it's not clearly stated one way or
the other in the current draft. Conceptually it started with only a single
parameter indicating the location of the resource. In some discussions that
started to seem overly limiting and so the concepts of specifying either a
logical name or a resource location were introduced as well as allowing for
multiples. Given that all that is already allowed and that these parameters
are simply a way for the client to signal expected usage preferences, I
think it makes sense to allow the use of "resource" and "audience" request
parameters at the same time.

I'm certainly open to discussing on it though.

I had hoped that whatever parameter(s) were used here to indicate where the
token is anticipated to be used could be extracted and used at the token
and authz endpoints for PoP key distribution and even vanilla OAuth. But
what's in token exchange may have gotten too flexible for those cases. I'm
not sure...

> A.1. Wouldn't the impersonation example be more straightforward if the
> returned token is an access token? I see that a "N_A" token is also
> demonstrated there, but that could confuse readers if the main point is to
> show an impersonation example.

I wavered on that very question when doing a round of updates. I think one
of the other editors had gone with the "N_A" so, being kind of on the fence
myself, I just left it that way. But I'd be just fine with changing that if
you and/or others think it'd be more straightforward.

> A.1 + A.2. It is stated that the client is anonymous. But is that really
> so if the supplied JWTs are apparently signed by the client and the AS will
> have to verify them?

Shoot, you're right. Good catch. I had a different issuer in there at one
point but went back though and changed some of the identifiers in the
examples to try and make them more meaningful. But I didn't notice that
making issuer say 'client' like that undermines or confuses the statement
about the client being anonymous. I'll change the iss or remove the text
about being anonymous in those examples.


> Overall I'm very pleased with this new version!

That's great to hear! Thanks again for your review.

> Cheers,
> Vladimir
> On 05/01/16 23:40, Brian Campbell wrote:
> On the off chance that it was missed in the final throes of 2015, I'd like
> to re-announce the publication of a new revision of the OAuth 2.0 Token
> Exchange draft.
> Due to the substantial changes in this draft, I'd encourage (a.k.a. beg) WG
> participants to review the document. As Mike said, this draft reconciles
> the differences in approaches taken in the previous working group draft and
> draft-campbell-oauth-sts while incorporating working group input and rough
> consensuses from the in-person discussions in Prague and mailing list
> discussions.
> Changes from -02 are summarized in Appendix D
> and the more meaningful are copied here:
>    o  Updated the format of the request to use application/x-www-form-
>       urlencoded request parameters and the response to use the existing
>       token endpoint JSON parameters defined in OAuth 2.0.
>    o  Changed the grant type identifier to urn:ietf:params:oauth:grant-
>       type:token-exchange.
>    o  Removed the Implementation Considerations and the requirement to
>       support JWTs.
>    o  Changed "on_behalf_of" to "subject_token",
>       "on_behalf_of_token_type" to "subject_token_type", "act_as" to
>       "actor_token", and "act_as_token_type" to "actor_token_type".
>    o  Added a "want_composite" request parameter used to indicate the
>       desire for a composite token rather than trying to infer it from
>       the presence/absence of token(s) in the request.
>    o  Added an "audience" request parameter used to indicate the logical
>       names of the target services at which the client intends to use
>       the requested security token.
>    o  Added a "resource" request parameter used to indicate the URLs of
>       resources at which the client intends to use the requested
>       security token.
>    o  Specified that multiple "audience" and "resource" request
>       parameter values may be used.
>    o  Defined the JWT claim "act" (actor) to express the current actor
>       or delegation principal.
>    o  Defined the JWT claim "may_act" to express that one party is
>       authorized to act on behalf of another party.
>    o  Defined the JWT claim "scp" (scopes) to express OAuth 2.0 scope-
>       token values.
>    o  Added the "N_A" (not applicable) OAuth Access Token Type
>       definition for use in contexts in which the token exchange syntax
>       requires a "token_type" value, but in which the token being issued
>       is not an access token.
>    o  Added examples.
> And the (known) outstanding issues are listed in Appendix C
> but also copied here:
>    o  Should there be a way to use short names for some common token
>       type identifiers?  URIs are necessary in the general case for
>       extensibility and vendor/deployment specific types.  But short
>       names like "access_token" and "jwt" are aesthetically appealing
>       and slightly more efficient in terms of bytes on the wire and url-
>       encoding.  There seemed to be rough consensus in Prague ('No
>       objection to use the proposed mechanism for a default prefix' from
> for
>       supporting a shorthand for commonly used types - i.e. when the
>       value does not contain a ":" character, the value would be treated
>       as though "urn:ietf:params:oauth:token-type:" were prepended to
>       it.  So, for example, the value "jwt" for "requested_token_type"
>       would be semantically equivalent to "urn:ietf:params:oauth:token-
>       type:jwt" and the value "access_token" would be equivalent to
>       "urn:ietf:params:oauth:token-type:access_token".  However, it was
>       a fairly brief discussion in Prague and it has since been
>       suggested that making participants handle both syntaxes will
>       unnecessarily complicate the supporting code.
>    o  Provide a way to include supplementary claims or information in
>       the request that would/could potentially be included in the issued
>       token.  There are real use cases for this but we would need to
>       work through what it would look like.
>    o  Understand and define exactly how the presentation of PoP/non-
>       bearer tokens works.  Of course, the specifications defining these
>       kinds of tokens need to do so first before there is much we can do
>       in this specification in this regard.
>    o  It seems there may be cases in which it would be desirable for the
>       authenticated client to be somehow represented in the issued
>       token, sometimes in addition to the actor, which can already be
>       represented using the "act" claim.  Perhaps with a "client_id"
>       claim?
> ---------- Forwarded message ----------
> From: Mike Jones <> <>
> Date: Mon, Dec 14, 2015 at 1:05 AM
> Subject: [OAUTH-WG] OAuth 2.0 Token Exchange: An STS for the REST of Us
> To: "" <> <> <>
> I’m happy to report that a substantially revised OAuth 2.0 Token Exchange
> draft has been published that enables a broad range of use cases, while
> still remaining as simple as possible.  This draft unifies the approaches
> taken in the previous working group draft and draft-campbell-oauth-sts,
> incorporating working group input from the in-person discussions in Prague
> and mailing list discussions.  Thanks to all for your interest in and
> contributions to OAuth Token Exchange!  Brian Campbell deserves special
> recognition for doing much of the editing heavy lifting for this draft.
> The core functionality remains token type independent.  That said, new
> claims are also defined to enable representation of delegation actors in
> JSON Web Tokens (JWTs).  Equivalent claims could be defined for other token
> types by other specifications.
> See the Document History section for a summary of the changes made.  Please
> check it out!
> The specification is available at:
> ·
> An HTML-formatted version is also available at:
> ·
>                                                           -- Mike
> P.S.  This note was also posted at
>  and as
> @selfissued <> <>.
> _______________________________________________
> OAuth mailing listOAuth@ietf.org
> _______________________________________________
> OAuth mailing listOAuth@ietf.org
> --
> Vladimir Dzhuvinov ::
> _______________________________________________
> OAuth mailing list