[OAUTH-WG] Adam Roach's Discuss on draft-ietf-oauth-jwt-introspection-response-07: (with DISCUSS and COMMENT)
Adam Roach via Datatracker <noreply@ietf.org> Wed, 04 September 2019 07:44 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 42BB31200CE; Wed, 4 Sep 2019 00:44:21 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Adam Roach via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-oauth-jwt-introspection-response@ietf.org, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth-chairs@ietf.org, rifaat.ietf@gmail.com, oauth@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.100.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Adam Roach <adam@nostrum.com>
Message-ID: <156758306119.22796.7625113709709674898.idtracker@ietfa.amsl.com>
Date: Wed, 04 Sep 2019 00:44:21 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zyufJ9r_JBJ3jZF0iR2df6B2x-A>
Subject: [OAUTH-WG] Adam Roach's Discuss on draft-ietf-oauth-jwt-introspection-response-07: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 07:44:22 -0000
Adam Roach has entered the following ballot position for draft-ietf-oauth-jwt-introspection-response-07: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-introspection-response/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks for the work the authors and other contributors have put into creating this document. I have a privacy concern that I think warrants text in the document. Section 8.3.1 introduces a significant amount of personally-identifiable information. While I understand that this is needed for the use case cited in the introduction (issuing certificated for electronic signatures), I think the document needs some treatment of the sensitivity of this information, the basis that the server uses to decide whether to include it, and how consent to disclose it might be obtained from the user. I'm putting this in as a DISCUSS, because I really do think this is a showstopper for publication. I am quite aware, however, that I might simply be missing some important aspect of the solution that makes my concerns moot. Please point me in the right direction if this is the case, and I'll be happy to clear. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- §3: > The example response contains the following JSON document: > > { > "sub": "Z5O3upPC88QrAjx00dis", > "aud": "https://protected.example.net/resource", > "scope": "read write dolphin", > "iss": "https://server.example.com/", > "active": true, > "exp": 1419356238, > "iat": 1419350238, > "client_id": "l238j323ds-23ij4", > "given_name": "John", > "family_name":"Doe", > "birthdate":"1982-02-01" > } The example response actually contains the following JSON document: { "sub":"Z5O3upPC88QrAjx00dis", "aud":"https:\/\/protected.example.net\/resource", "extension_field":"twenty-seven", "scope":"read write dolphin", "iss":"https:\/\/server.example.com\/", "active":true, "exp":1419356238, "iat":1419350238, "client_id":"l238j323ds-23ij4", "username":"jdoe" } Note the presence of "extension_field" and "username" fields, and the absence of "given_name", "family_name", and "birthdate" fields. There's also a bunch of unnecessarily escaped "/" characters in the document in the JWT, but not the expanded example; and while these are semantically insignificant, the discrepancy seems gratuitous. It is probably worthwhile updating either the JWT or the expanded example so that they match.
- [OAUTH-WG] Adam Roach's Discuss on draft-ietf-oau… Adam Roach via Datatracker
- Re: [OAUTH-WG] Adam Roach's Discuss on draft-ietf… Torsten Lodderstedt