Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up)

John Bradley <ve7jtb@ve7jtb.com> Fri, 25 April 2014 20:06 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B856D1A02F2 for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 13:06:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tdb3kFK_Yg7c for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 13:06:15 -0700 (PDT)
Received: from mail-qc0-f169.google.com (mail-qc0-f169.google.com [209.85.216.169]) by ietfa.amsl.com (Postfix) with ESMTP id 5CA891A0676 for <oauth@ietf.org>; Fri, 25 Apr 2014 13:06:15 -0700 (PDT)
Received: by mail-qc0-f169.google.com with SMTP id i17so4586748qcy.28 for <oauth@ietf.org>; Fri, 25 Apr 2014 13:06:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=p9y5VnpVCLfOHK5ZRgDFiYlG1ZZNBSyswQCXBIct1hg=; b=Br0MxuJtqe6oDt5tamGe+XSvAM98YbFfs9jHLG8iGPAKWYS9NHilAn4eqCXporSi6o KpaLPDYK3bTOjaJ5Xmi1tYbOMouCTpS6PWsHBoE1kY/mOhIFHbViR7wuexiKnA3GNpK5 EQH4x7LdFj3kMQuoE5G3FjJGj2eZoy9xGpIex8E0e9BmNvxwKtHIDeUkIEKbmnYmSc/o 3eqBnb0iQoWD+Uc6nTrYwam+jHGwDZhewwuZYmbt+1XdXipiJ+f0+tUFcSWaSvuBwflE pU+oHpB9I1EdQD8dawHH4reaePAw0y4LR629zIqpmqgzoPd0kSeyS/eT1c54TwBACPVK xeEQ==
X-Gm-Message-State: ALoCoQmuRD1/tYAlzguTNLS68LD13hnJlreNmtPMcubvm/mIVA8LWP/h+e/UrGmm3Qe1hzZ2kdG7
X-Received: by 10.140.109.70 with SMTP id k64mr5637466qgf.92.1398456368446; Fri, 25 Apr 2014 13:06:08 -0700 (PDT)
Received: from [192.168.0.200] ([201.188.68.144]) by mx.google.com with ESMTPSA id b17sm16126409qaq.25.2014.04.25.13.06.06 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 25 Apr 2014 13:06:07 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <535ABCBF.3090308@redhat.com>
Date: Fri, 25 Apr 2014 17:06:07 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <6A3BC24E-5BFA-4350-886A-27B2AD6CB077@ve7jtb.com>
References: <CA+k3eCTeBZNh8-dhtkjbCJdJ6PfciZQNQOznJj+jdik6Z6Detw@mail.gmail.com> <535ABCBF.3090308@redhat.com>
To: Bill Burke <bburke@redhat.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/wZK9m9w4nK-ZG9PPpLXbB1xMG-E
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer != access tokens (was Re: draft-ietf-oauth-jwt-bearer Shepherd Write-up)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 20:06:17 -0000

The only current draft that describes JWT as access tokens is the PoP draft: http://tools.ietf.org/html/draft-bradley-oauth-pop-key-distribution

That describes JWT access tokens and how to add PoP information.   I don't think there is anything other than the JWT spec itself describing bearer JWT, though they would be like the PoP JWT without the proof key.

Ping Federate has supported generating JWS access as a option for some time.

John B.

On Apr 25, 2014, at 4:51 PM, Bill Burke <bburke@redhat.com> wrote:

> Thank you.  Thats what I thought.  Is it just assumed JWT would/might be used an access token format for Bearer token auth?  Or is there another draft somewhere for that?  Is anybody out there using JWS + JWT as a access token format?
> 
> On 4/25/2014 2:59 PM, Brian Campbell wrote:
>> draft-ietf-oauth-jwt-bearer is only about interactions (client
>> authentication and JWT as an authorization grant) with the token
>> endpoint and doesn't define JWT style access tokens.
>> 
>> 
>> On Fri, Apr 25, 2014 at 12:51 PM, Bill Burke <bburke@redhat.com
>> <mailto:bburke@redhat.com>> wrote:
>> 
>>    Red Hat Keycloak [1] only supports basic auth for client
>>    authentication as suggested in the OAuth 2 spec.  But our access
>>    tokens are JWS signed JWTs.
>> 
>>    Does draft-ietf-oauth-jwt-bearer relate to OAuth Bearer token auth
>>    [2]?  Or is there another document I should be following?  I'd like
>>    to see what other claims are being discussed related to JWT-based
>>    access tokens and may have some additional access token claims we've
>>    been experimenting with others might be interested in.
>> 
>>    Also, I'm not sure yet if we'll implement
>>    draft-ietf-oauth-jwt-bearer to authenticate clients.  A lot of our
>>    initial users are more interested in public clients and/or the
>>    implicit flow as they are writing a lot of pure javascript apps
>>    served up by simple static web servers.
>> 
>>    [1] http://keycloak.org
>>    [2] http://tools.ietf.org/html/__rfc6750
>>    <http://tools.ietf.org/html/rfc6750>
>> 
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth