Re: [OAUTH-WG] JWT - scope claim missing
Brian Campbell <bcampbell@pingidentity.com> Thu, 28 February 2013 21:00 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E183A21F863C for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 13:00:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.911
X-Spam-Level:
X-Spam-Status: No, score=-5.911 tagged_above=-999 required=5 tests=[AWL=0.065, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OnpgoHQr3UdA for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 13:00:21 -0800 (PST)
Received: from na3sys009aog129.obsmtp.com (na3sys009aog129.obsmtp.com [74.125.149.142]) by ietfa.amsl.com (Postfix) with ESMTP id 14F5B21F8540 for <oauth@ietf.org>; Thu, 28 Feb 2013 13:00:21 -0800 (PST)
Received: from mail-oa0-f70.google.com ([209.85.219.70]) (using TLSv1) by na3sys009aob129.postini.com ([74.125.148.12]) with SMTP ID DSNKUS/FYwZJU1lsFLL31p5eZECH88XClNVz@postini.com; Thu, 28 Feb 2013 13:00:21 PST
Received: by mail-oa0-f70.google.com with SMTP id h2so14849232oag.5 for <oauth@ietf.org>; Thu, 28 Feb 2013 13:00:19 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=x5t95WElj43QHzDGkdt3hXJEiz3S0LqnKnOjp2AgMwY=; b=A7ULgv4X5WiiETAmsXzAZXhfHWMmYVi3ABZbMTSUHPINJ5UETp6NAk5CQ46FElW5p/ RkAg9gZH9BpYmEkOBCKLEiD+mlzLQIM2rMQodf6IGA4FfSlrLnraT2cNu72nVtET7vX2 lnB5D1T5H7Y4AZqSPSTYGAxvKlpjeMA9twu1H42OxgedFaieU6HnZdCdzu8zCxg0igx0 KJ3y/ZedVfU7PY1wpq0YC5GKbKzJvz3mZKoSG38Z8zAorgweg+Mj7a9IUZnFEUlnJHAb SjNuok9sNaWIGDb6/HkaiGfimTSfmHNHRi5WrhWxL+6GBtkyKG6vkv0XfMfHEWnOd43U TG8g==
X-Received: by 10.42.30.132 with SMTP id v4mr4256360icc.34.1362085218944; Thu, 28 Feb 2013 13:00:18 -0800 (PST)
X-Received: by 10.42.30.132 with SMTP id v4mr4256357icc.34.1362085218816; Thu, 28 Feb 2013 13:00:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.32.106 with HTTP; Thu, 28 Feb 2013 12:59:48 -0800 (PST)
In-Reply-To: <512FC18D.1020803@oracle.com>
References: <0EC2404F-E3C5-4AD1-88B4-E74AA0394DD9@gmx.net> <C75E4871-E907-4EF7-BAF0-9D1A172D581B@ve7jtb.com> <CA6A6425-D0CE-469F-B51E-9F296DA8041C@oracle.com> <CA+k3eCREgN+6z+U=jjJcPo0nZVR0GWn5zXeecZRO+rg=xd-gZg@mail.gmail.com> <A2375FE9-946F-46B3-9356-0709DD56BD4A@ve7jtb.com> <48FD87D1-4DF4-4289-99B7-40A515F31890@oracle.com> <3E472720-31A4-40A0-AAA4-402CF850831A@ve7jtb.com> <7127843B-D7B0-4AB6-87F1-1604D1EFFA79@oracle.com> <50DA292F-32F0-4266-8401-006AD837B775@ve7jtb.com> <CA+k3eCSyE3cPMh17XuivbUZUtHY=RAtjV1UeCdW6gGFk+gv02A@mail.gmail.com> <512FC18D.1020803@oracle.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 28 Feb 2013 13:59:48 -0700
Message-ID: <CA+k3eCTnbJsdtvA=VJWd0ob+s4qGco4O30M4=crpXb1tizDj9A@mail.gmail.com>
To: prateek mishra <prateek.mishra@oracle.com>
Content-Type: multipart/alternative; boundary="20cf301d420e9f2fa804d6cf2d44"
X-Gm-Message-State: ALoCoQmfS1M7gan+gAl+nXDwf7jzPOvyise6eSXBc3nZGLNCNHMLh7FgfIDPTGHSbwWBXoO3s7d63GYooUCFQMrqqiHLW6R4HteiXJnmUxFy1NJmL8qgo7lue/93uQa9KXvx7ANLxz4y
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT - scope claim missing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2013 21:00:23 -0000
Thanks Prateek. I like it and I think wordy might be the way to go here. On Thu, Feb 28, 2013 at 1:43 PM, prateek mishra <prateek.mishra@oracle.com>wrote: > SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization > Grants > JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants > Assertion Framework for OAuth 2.0 <as above> > > a bit wordy, but does get the point across IMO > > - prateek > > I'm not sure anyone really "picked" the titles for the bearer token > profiles. They just kind of evolved. And evolved in funny ways especially > when client authn to the AS was added. > > You won't hear me argue that the titles are "good" and this is not the > first time there's been confusion about what they actually do. They define > new grant types and new client authentication methods. They *do not* define > an access token format or anything else about access tokens. JWT and SAML > could be used for that but that's not what these drafts do. > > Suggestions for better title(s) would be more than welcome. > > Here's what they are now: > > SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 > draft-ietf-oauth-saml2-bearer > > JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 > draft-ietf-oauth-jwt-bearer > > Assertion Framework for OAuth 2.0 > draft-ietf-oauth-assertions > > On Thu, Feb 28, 2013 at 11:36 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > >> Yes the title likely adds to the confusion given that the bearer tokens >> are not access tokens. >> >> Things as separate from OAuth as the Firefox browerID spec use JWS >> signed JWTs. >> >> The bearer token profiles for OAuth 2 are for OAuth2. >> >> The JSON Web Token (JWT)<http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06> spec >> did not start in OAuth and is not OAuth specific. >> >> A JWT is: >> >> JSON Web Token (JWT) A string representing a set of claims as a JSON >> object that is encoded in a JWS or JWE, enabling the claims to be >> digitally signed or MACed and/or encrypted. >> >> >> So OAuth or other profiles may define claims to go in a JWT, but the >> JWT needs to itself only define the claims necessary for security >> processing. >> >> John B. >> PS that was a soft ball If you hadn't responded I would have been >> disappointed. I din't pick the title for the bearer token profiles. >> >> >> On 2013-02-28, at 10:12 AM, Phil Hunt <phil.hunt@oracle.com> wrote: >> >> >> >> >> >> JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 >> >> >> Note the title says "for OAuth2" >> >> Sorry. Couldn't resist. >> >> Phil >> >> Sent from my phone. >> >> On 2013-02-28, at 9:40, John Bradley <ve7jtb@ve7jtb.com> wrote: >> >> JWT is an assertion( I am probably going to regret using that word). >> >> It is used in openID connect for id_tokens, it is used in OAuth for >> Assertion grant types and authentication of the client to the token >> endpoint. >> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-04 >> >> >> JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0 >> >> >> Dosen't define JWT's use for access tokens for the RS. >> >> Bottom line JWT is for more than access tokens. >> >> John B. >> >> On 2013-02-28, at 9:28 AM, Phil Hunt <phil.hunt@oracle.com> wrote: >> >> Are you saying jwt is not an access token type? >> >> Phil >> >> Sent from my phone. >> >> On 2013-02-28, at 8:58, John Bradley <ve7jtb@ve7jtb.com> wrote: >> >> Yes, defining scope in JWT is the wrong place. JWT needs to stick to >> the security claims needed to process JWT. >> >> I also don't know how far you get requiring a specific authorization >> format for JWT, some AS will wan to use a opaque reference, some might want >> to use a user claim or role claim, others may use scopes, combining scopes >> and claims is also possible. >> >> Right now it is up to a AS RS pair to agree on how to communicate >> authorization. I don't want MAC to be more restrictive than bearer when >> it comes to authorization between AS and RS. >> >> Hannes wanted to know why JWT didn't define scope. The simple answer >> is that it is out of scope for JWT itself. It might be defined in a OAuth >> access token profile for JWT but it should not be specific to MAC. >> >> John B. >> On 2013-02-28, at 8:44 AM, Brian Campbell <bcampbell@pingidentity.com> >> wrote: >> >> I think John's point was more that scope is something rather specific >> to an OAuth access token and, while JWT is can be used to represent an >> access token, it's not the only application of JWT. The 'standard' claims >> in JWT are those that are believed (right or wrong) to be widely applicable >> across different applications of JWT. One could argue about it but scope is >> probably not one of those. >> >> It would probably make sense to try and build a profile of JWT >> specifically for OAuth access tokens (though I suspect there are some >> turtles and dragons in there), which might be the appropriate place to >> define/register a scope claim. >> >> >> On Thu, Feb 28, 2013 at 9:24 AM, Phil Hunt <phil.hunt@oracle.com> wrote: >> >>> Are you advocating TWO systems? That seems like a bad choice. >>> >>> I would rather fix scope than go to a two system approach. >>> >>> Phil >>> >>> Sent from my phone. >>> >>> On 2013-02-28, at 8:17, John Bradley <ve7jtb@ve7jtb.com> wrote: >>> >>> > While scope is one method that a AS could communicate authorization to >>> a RS, it is not the only or perhaps even the most likely one. >>> > Using scope requires a relatively tight binding between the RS and AS, >>> UMA uses a different mechanism that describes finer grained operations. >>> > The AS may include roles, user, or other more abstract claims that the >>> the client may (god help them) pass on to EXCML for processing. >>> > >>> > While having a scopes claim is possible, like any other claim it is >>> not part of the JWT core security processing claims, and needs to be >>> defined by extension. >>> > >>> > John B. >>> > On 2013-02-28, at 2:29 AM, Hannes Tschofenig < >>> hannes.tschofenig@gmx.net> wrote: >>> > >>> >> Hi Mike, >>> >> >>> >> when I worked on the MAC specification I noticed that the JWT does >>> not have a claim for the scope. I believe that this would be needed to >>> allow the resource server to verify whether the scope the authorization >>> server authorized is indeed what the client is asking for. >>> >> >>> >> Ciao >>> >> Hannes >>> >> >>> >> _______________________________________________ >>> >> OAuth mailing list >>> >> OAuth@ietf.org >>> >> https://www.ietf.org/mailman/listinfo/oauth >>> > >>> > _______________________________________________ >>> > OAuth mailing list >>> > OAuth@ietf.org >>> > https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> >> >> >> > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > >
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- [OAUTH-WG] JWT - scope claim missing Hannes Tschofenig
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Hannes Tschofenig
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Justin Richer
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Justin Richer
- Re: [OAUTH-WG] JWT - scope claim missing Mike Jones
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing prateek mishra
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Brian Campbell
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Mike Jones
- Re: [OAUTH-WG] JWT - scope claim missing Nat Sakimura
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing John Bradley
- Re: [OAUTH-WG] JWT - scope claim missing Lewis Adam-CAL022
- Re: [OAUTH-WG] JWT - scope claim missing Nat Sakimura
- Re: [OAUTH-WG] JWT - scope claim missing Phil Hunt
- Re: [OAUTH-WG] JWT - scope claim missing Eve Maler
- Re: [OAUTH-WG] JWT - scope claim missing Richer, Justin P.
- Re: [OAUTH-WG] JWT - scope claim missing prateek mishra