[OAUTH-WG] Adam Roach's Discuss on draft-ietf-oauth-jwt-introspection-response-07: (with DISCUSS and COMMENT)

[Adam Roach via Datatracker <noreply@ietf.org>]

Adam Roach has entered the following ballot position for
draft-ietf-oauth-jwt-introspection-response-07: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-introspection-response/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Thanks for the work the authors and other contributors have
put into creating this document.

I have a privacy concern that I think warrants text in the document.

Section 8.3.1 introduces a significant amount of personally-identifiable
information. While I understand that this is needed for the use case
cited in the introduction (issuing certificated for electronic signatures),
I think the document needs some treatment of the sensitivity of this
information, the basis that the server uses to decide whether to include
it, and how consent to disclose it might be obtained from the user.

I'm putting this in as a DISCUSS, because I really do think this is
a showstopper for publication. I am quite aware, however, that I might
simply be missing some important aspect of the solution that makes my
concerns moot. Please point me in the right direction if this is the
case, and I'll be happy to clear.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

§3:

>  The example response contains the following JSON document:
>
>  {
>    "sub": "Z5O3upPC88QrAjx00dis",
>    "aud": "https://protected.example.net/resource",
>    "scope": "read write dolphin",
>    "iss": "https://server.example.com/",
>    "active": true,
>    "exp": 1419356238,
>    "iat": 1419350238,
>    "client_id": "l238j323ds-23ij4",
>    "given_name": "John",
>    "family_name":"Doe",
>    "birthdate":"1982-02-01"
>  }

The example response actually contains the following JSON document:

{
   "sub":"Z5O3upPC88QrAjx00dis",
   "aud":"https:\/\/protected.example.net\/resource",
   "extension_field":"twenty-seven",
   "scope":"read write dolphin",
   "iss":"https:\/\/server.example.com\/",
   "active":true,
   "exp":1419356238,
   "iat":1419350238,
   "client_id":"l238j323ds-23ij4",
   "username":"jdoe"
}

Note the presence of "extension_field" and "username" fields, and the
absence of "given_name", "family_name", and "birthdate" fields. There's
also a bunch of unnecessarily escaped "/" characters in the document
in the JWT, but not the expanded example; and while these are semantically
insignificant, the discrepancy seems gratuitous.

It is probably worthwhile updating either the JWT or the expanded
example so that they match.