IETF Logo Mail Archive

Re: [OAUTH-WG] JWT - scope claim missing

Brian Campbell <bcampbell@pingidentity.com> Thu, 28 February 2013 21:00 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E183A21F863C for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 13:00:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.911
X-Spam-Level:
X-Spam-Status: No, score=-5.911 tagged_above=-999 required=5 tests=[AWL=0.065, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OnpgoHQr3UdA for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 13:00:21 -0800 (PST)
Received: from na3sys009aog129.obsmtp.com (na3sys009aog129.obsmtp.com [74.125.149.142]) by ietfa.amsl.com (Postfix) with ESMTP id 14F5B21F8540 for <oauth@ietf.org>; Thu, 28 Feb 2013 13:00:21 -0800 (PST)
Received: from mail-oa0-f70.google.com ([209.85.219.70]) (using TLSv1) by na3sys009aob129.postini.com ([74.125.148.12]) with SMTP ID DSNKUS/FYwZJU1lsFLL31p5eZECH88XClNVz@postini.com; Thu, 28 Feb 2013 13:00:21 PST
Received: by mail-oa0-f70.google.com with SMTP id h2so14849232oag.5 for <oauth@ietf.org>; Thu, 28 Feb 2013 13:00:19 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=x5t95WElj43QHzDGkdt3hXJEiz3S0LqnKnOjp2AgMwY=; b=A7ULgv4X5WiiETAmsXzAZXhfHWMmYVi3ABZbMTSUHPINJ5UETp6NAk5CQ46FElW5p/ RkAg9gZH9BpYmEkOBCKLEiD+mlzLQIM2rMQodf6IGA4FfSlrLnraT2cNu72nVtET7vX2 lnB5D1T5H7Y4AZqSPSTYGAxvKlpjeMA9twu1H42OxgedFaieU6HnZdCdzu8zCxg0igx0 KJ3y/ZedVfU7PY1wpq0YC5GKbKzJvz3mZKoSG38Z8zAorgweg+Mj7a9IUZnFEUlnJHAb SjNuok9sNaWIGDb6/HkaiGfimTSfmHNHRi5WrhWxL+6GBtkyKG6vkv0XfMfHEWnOd43U TG8g==
X-Received: by 10.42.30.132 with SMTP id v4mr4256360icc.34.1362085218944; Thu, 28 Feb 2013 13:00:18 -0800 (PST)
X-Received: by 10.42.30.132 with SMTP id v4mr4256357icc.34.1362085218816; Thu, 28 Feb 2013 13:00:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.32.106 with HTTP; Thu, 28 Feb 2013 12:59:48 -0800 (PST)
In-Reply-To: <512FC18D.1020803@oracle.com>
References: <0EC2404F-E3C5-4AD1-88B4-E74AA0394DD9@gmx.net> <C75E4871-E907-4EF7-BAF0-9D1A172D581B@ve7jtb.com> <CA6A6425-D0CE-469F-B51E-9F296DA8041C@oracle.com> <CA+k3eCREgN+6z+U=jjJcPo0nZVR0GWn5zXeecZRO+rg=xd-gZg@mail.gmail.com> <A2375FE9-946F-46B3-9356-0709DD56BD4A@ve7jtb.com> <48FD87D1-4DF4-4289-99B7-40A515F31890@oracle.com> <3E472720-31A4-40A0-AAA4-402CF850831A@ve7jtb.com> <7127843B-D7B0-4AB6-87F1-1604D1EFFA79@oracle.com> <50DA292F-32F0-4266-8401-006AD837B775@ve7jtb.com> <CA+k3eCSyE3cPMh17XuivbUZUtHY=RAtjV1UeCdW6gGFk+gv02A@mail.gmail.com> <512FC18D.1020803@oracle.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 28 Feb 2013 13:59:48 -0700
Message-ID: <CA+k3eCTnbJsdtvA=VJWd0ob+s4qGco4O30M4=crpXb1tizDj9A@mail.gmail.com>
To: prateek mishra <prateek.mishra@oracle.com>
Content-Type: multipart/alternative; boundary="20cf301d420e9f2fa804d6cf2d44"
X-Gm-Message-State: ALoCoQmfS1M7gan+gAl+nXDwf7jzPOvyise6eSXBc3nZGLNCNHMLh7FgfIDPTGHSbwWBXoO3s7d63GYooUCFQMrqqiHLW6R4HteiXJnmUxFy1NJmL8qgo7lue/93uQa9KXvx7ANLxz4y
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT - scope claim missing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2013 21:00:23 -0000

Thanks Prateek. I like it and I think wordy might be the way to go here.


On Thu, Feb 28, 2013 at 1:43 PM, prateek mishra
<prateek.mishra@oracle.com>wrote:

>  SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization
> Grants
> JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants
> Assertion Framework for OAuth 2.0 <as above>
>
> a bit wordy, but does get the point across IMO
>
> - prateek
>
>  I'm not sure anyone really "picked" the titles for the bearer token
> profiles. They just kind of evolved. And evolved in funny ways especially
> when client authn to the AS was added.
>
>  You won't hear me argue that the titles are "good" and this is not the
> first time there's been confusion about what they actually do. They define
> new grant types and new client authentication methods. They *do not* define
> an access token format or anything else about access tokens. JWT and SAML
> could be used for that but that's not what these drafts do.
>
>  Suggestions for better title(s) would be more than welcome.
>
>  Here's what they are now:
>
> SAML 2.0 Bearer Assertion Profiles for OAuth 2.0
> draft-ietf-oauth-saml2-bearer
>
> JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
> draft-ietf-oauth-jwt-bearer
>
> Assertion Framework for OAuth 2.0
> draft-ietf-oauth-assertions
>
> On Thu, Feb 28, 2013 at 11:36 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>> Yes the title likely adds to the confusion given that the bearer tokens
>> are not access tokens.
>>
>>  Things as separate from OAuth as the Firefox browerID spec use JWS
>> signed JWTs.
>>
>>  The bearer token profiles for OAuth 2 are for OAuth2.
>>
>>  The JSON Web Token (JWT)<http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06> spec
>> did not start in OAuth and is not OAuth specific.
>>
>>  A JWT is:
>>
>> JSON Web Token (JWT)  A string representing a set of claims as a JSON
>>       object that is encoded in a JWS or JWE, enabling the claims to be
>>       digitally signed or MACed and/or encrypted.
>>
>>
>>  So OAuth or other profiles may define claims to go in a JWT, but the
>> JWT needs to itself only define the claims necessary for security
>> processing.
>>
>>  John B.
>> PS that was a soft ball If you hadn't responded I would have been
>> disappointed.  I din't pick the title for the bearer token profiles.
>>
>>
>>  On 2013-02-28, at 10:12 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>
>>
>>
>>
>>
>> JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
>>
>>
>> Note the title says "for OAuth2"
>>
>>  Sorry. Couldn't resist.
>>
>>  Phil
>>
>>  Sent from my phone.
>>
>> On 2013-02-28, at 9:40, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>
>>  JWT is an assertion( I am probably going to regret using that word).
>>
>>  It is used in openID connect for id_tokens, it is used in OAuth for
>> Assertion grant types and authentication of the client to the token
>> endpoint.
>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-04
>>
>>
>> JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
>>
>>
>>  Dosen't define JWT's use for access tokens for the RS.
>>
>>  Bottom line JWT is for more than access tokens.
>>
>>  John B.
>>
>>  On 2013-02-28, at 9:28 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>
>>  Are you saying jwt is not an access token type?
>>
>> Phil
>>
>>  Sent from my phone.
>>
>> On 2013-02-28, at 8:58, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>
>>  Yes, defining scope in JWT is the wrong place.   JWT needs to stick to
>> the security claims needed to process JWT.
>>
>>  I also don't know how far you get requiring a specific authorization
>> format for JWT, some AS will wan to use a opaque reference, some might want
>> to use a user claim or role claim, others may use scopes,  combining scopes
>> and claims is also possible.
>>
>>  Right now it is up to a AS RS pair to agree on how to communicate
>> authorization.   I don't want MAC to be more restrictive than bearer when
>> it comes to authorization between AS and RS.
>>
>>  Hannes wanted to know why JWT didn't define scope.  The simple answer
>> is that it is out of scope for JWT itself.   It might be defined in a OAuth
>> access token profile for JWT but it should not be specific to MAC.
>>
>>  John B.
>>  On 2013-02-28, at 8:44 AM, Brian Campbell <bcampbell@pingidentity.com>
>> wrote:
>>
>>  I think John's point was more that scope is something rather specific
>> to an OAuth access token and, while JWT is can be used to represent an
>> access token, it's not the only application of JWT. The 'standard' claims
>> in JWT are those that are believed (right or wrong) to be widely applicable
>> across different applications of JWT. One could argue about it but scope is
>> probably not one of those.
>>
>>  It would probably make sense to try and build a profile of JWT
>> specifically for OAuth access tokens (though I suspect there are some
>> turtles and dragons in there), which might be the appropriate place to
>> define/register a scope claim.
>>
>>
>> On Thu, Feb 28, 2013 at 9:24 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>
>>> Are you advocating TWO systems? That seems like a bad choice.
>>>
>>> I would rather fix scope than go to a two system approach.
>>>
>>> Phil
>>>
>>> Sent from my phone.
>>>
>>> On 2013-02-28, at 8:17, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>>
>>> > While scope is one method that a AS could communicate authorization to
>>> a RS, it is not the only or perhaps even the most likely one.
>>> > Using scope requires a relatively tight binding between the RS and AS,
>>>  UMA uses a different mechanism that describes finer grained operations.
>>> > The AS may include roles, user, or other more abstract claims that the
>>> the client may (god help them) pass on to EXCML for processing.
>>> >
>>> > While having a scopes claim is possible, like any other claim it is
>>> not part of the JWT core security processing claims, and needs to be
>>> defined by extension.
>>> >
>>> > John B.
>>> > On 2013-02-28, at 2:29 AM, Hannes Tschofenig <
>>> hannes.tschofenig@gmx.net> wrote:
>>> >
>>> >> Hi Mike,
>>> >>
>>> >> when I worked on the MAC specification I noticed that the JWT does
>>> not have a claim for the scope. I believe that this would be needed to
>>> allow the resource server to verify whether the scope the authorization
>>> server authorized is indeed what the client is asking for.
>>> >>
>>> >> Ciao
>>> >> Hannes
>>> >>
>>> >> _______________________________________________
>>> >> OAuth mailing list
>>> >> OAuth@ietf.org
>>> >> https://www.ietf.org/mailman/listinfo/oauth
>>> >
>>> > _______________________________________________
>>> > OAuth mailing list
>>> > OAuth@ietf.org
>>> > https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>>
>>
>>
>>
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
>

v2.23.0 | Report a Bug | By Email