Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

[Vittorio Bertocci <vittorio.bertocci@auth0.com>]

Denis, the change you mentioned is basically a typo, which I did fix but
did not publish a new draft for- that doesn’t change the substance of the
consensus (and is something that will be fixed in the subsequent phases of
the process).
Whether the sub should be mandatory has been discussed for two reasons:

- as a way of distinguishing whether the token was obtained on behalf of a
user or an application identity, by omitting it in the latter case. We had
extensive discussions following IETF105 and concluded that not enough
people were interested in that scenario. I kept that discussion open for a
long time.
- for privacy concerns. Those has been debated and your position failed to
gather momentum.

Some of the recent discussions on sub didn’t pick up on the discussions
above and didn’t bring new arguments that weren’t already debated.
Nonetheless I did my best to provide context and pointer to the past
discussions when answering the concerns. In other words, those discussions
didn’t appear to change the consensus achieved on the matter. We have 3
last calls, I don’t think the chairs changed the status of the document
lightly.



On Thu, May 14, 2020 at 07:29 Denis <denis.ietf@free.fr> wrote:

> The current version of this draft is
> "draft-ietf-oauth-access-token-jwt-07" issued on April the 27 th.
>
> This means that comments sent later on on the list have not been
> incorporated in this draft.
> In particular, this one sent on April the 28 th:
>
> *1) *The title of this spec. is:
>
> JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
>
> So, this spec. is supposed to be targeted to OAuth *2.0. *
>
> However, the header at the top of the page omits to mention it.
>
> Currently, it is :
>
> Internet-Draft       OAuth Access Token JWT Profile           April 2020
>
> It should rather be:
>
> Internet-Draft       OAuth *2.0* Access Token JWT Profile           April
> 2020
>
> It has been acknowledged by Vittorio on April, the 29 th:
>
> *> The title of this spec.*
>
> Fixed, thanks!
>
> This means that the draft document currently available on the IETF server
> is not reflecting the agreed comments.
>
> Since then, I questioned myself how a client would be able to request an
> access token that would be
> *strictly compliant with this Profile*.
>
> For doing this exercise, I took a look at section 3 on pages 6 to 8. To
> summarize my findings:
>
>    - the request MAY include a "resource" parameter. If the request does
>    not include a "resource" parameter,
>    the authorization server MUST use in the "aud" claim a default
>    resource indicator.
>    - the request MAY include "scope" parameter. If a "scope" parameter is
>    present in the request,
>    the authorization server SHOULD use it to infer the value of the
>    default resource indicator to be used in the "aud" claim.
>
> It seems to mean that if the request includes no "resource" parameter and
> no "scope" parameter, the access token will necessarily
> include the "sub" claim.
>
> If in the request, there would be present a parameter meaning "I want a
> token compliant with *this OAuth 2.0 profile*",
> then there would be no problem, but this is not the case.
>
> In the future, if additional parameters are included in the request, will
> the "sub" claim necessarily be present in the access token ?
> If yes, this may be a privacy concern.
>
> On the list there have been requirements for not making the "sub"
> parameter mandatory.
>
> This point needs to be addressed and solved one way or another.
>
>
> Denis
>
> All,
>
> Based on the 3rd WGLC, we believe that we have consensus to move this
> document forward.
> https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/
>
> We will be working on the shepherd write-up and then submit the document
> to the IESG soon.
>
> Regards,
>  Rifaat & Hannes
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
>