Re: [Txauth] acquiring claims (was Polymorphism (Was: JSON Schema?))
Tom Jones <thomasclinganjones@gmail.com> Mon, 20 July 2020 22:14 UTC
Return-Path: <thomasclinganjones@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB3E53A102C for <txauth@ietfa.amsl.com>; Mon, 20 Jul 2020 15:14:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FeeBVJqzRKxx for <txauth@ietfa.amsl.com>; Mon, 20 Jul 2020 15:14:32 -0700 (PDT)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A7333A1028 for <txauth@ietf.org>; Mon, 20 Jul 2020 15:14:32 -0700 (PDT)
Received: by mail-oi1-x230.google.com with SMTP id 12so15630597oir.4 for <txauth@ietf.org>; Mon, 20 Jul 2020 15:14:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FWv8rczu826K5jBZmEO8e2EphrLkbrc3ZWQeUcMJZoQ=; b=V0HELoZNQWzHWb+q3d+scb+2WAtPcrqFbGUkT5PzXVXXRqbO2jG4aa/UpOqO310KTE huQlWJWB3goF2nGmPU3eC2j7XgIY+bSfBJEcGli80CSRAz/5HvcQqo4cMDLOBmWyh6xR UCv0BJ1/0TUYVwDd5rbFJ85rYxNhbT444FF3gVaGV+OTEAScnAH3K6pSH2HuuJ1xvz9H t8yViPcvmZwp4zXoxuU2QZrQnhIb9jJZpeGtCFTiEdUa3TvkCYu674tAjR0YE5dWyZSf 7EQicc4zjUpOcxQXGqH0rVGsw6jedwNHxr08THgfVkqshzWhF+asHTXgGpsw1SRda0NV rhTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FWv8rczu826K5jBZmEO8e2EphrLkbrc3ZWQeUcMJZoQ=; b=rPb7H8x0CC/z4RiYGh23JfHT2fg8nJXCLrdPHk9nt3uKCt3peaybn25mtXu45GDCet PbXPq34NriOYmynbvQ6v6ayiTXiymd+H7B66gbW+UQh7i1qzlhc2+GenS3QuiMyk1uvJ v28xZ2mJWS1wdXg7dZxd3muL3RLVfFjpsTxRcd6wV4B8s1y8SIDoVoVy0AmjtQVnhqjB +9/PQE7yY4829+x3HdQEdSOoi0wh4IVL4MHyXhztDMorKcLQQTJtrFp0NxDORnqIrde7 HMf+FpFljy0dSHDWkVoMLrSponTtXI4opA7EwVQZan26hSDDYwv61xR+Ui1NjT6heUF5 /Stg==
X-Gm-Message-State: AOAM532YvJpB6W7s42clJZnhl0cw3fyzWPZQwTE2g/eZD+Mi/Egppge9 vUVb9qlaYD8g++OilDpKxSSTITztYuRgog7sH+8=
X-Google-Smtp-Source: ABdhPJyF8DJyAVIORVO6zyOUWGKiNiUxyemdOtTAFOC4s2rkEEVstUYDFSthsh3gpMCpyq5DBijmxz8LI2jzIZsxBas=
X-Received: by 2002:aca:4b50:: with SMTP id y77mr1033710oia.63.1595283271404; Mon, 20 Jul 2020 15:14:31 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-t0uApDbHkJpsDGHaYr2LjkmzZKtdqaP=9BnQn5Rd4bKg@mail.gmail.com> <D05DF324-8866-4E74-9173-A7B8CB479CC7@gmail.com> <CAD9ie-vfrX6XR-XG6y1w09MhJm0xGvj9=bkidqxe8m541fdF-g@mail.gmail.com>
In-Reply-To: <CAD9ie-vfrX6XR-XG6y1w09MhJm0xGvj9=bkidqxe8m541fdF-g@mail.gmail.com>
From: Tom Jones <thomasclinganjones@gmail.com>
Date: Mon, 20 Jul 2020 15:14:19 -0700
Message-ID: <CAK2Cwb5gqsPZ93YxMbgXH1JigrHMtQ1CsQWXikzoki=vcb5nfw@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, txauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b5505205aae6d47c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/Slu2MK4ue_eXbi3UC5mEvB3Or94>
Subject: Re: [Txauth] acquiring claims (was Polymorphism (Was: JSON Schema?))
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2020 22:14:36 -0000
if the user must authorize access to the resource, then what better place for it than their phone. I don't much worry about inconveniencing some gigantic corporation. I should be clear tho, *user agents* do not need to be on user phones, i was addressing my particular need. If the user has delegated authority to some cloud based service, then that *user agent *could could also host an as. It is interesting to speculate on whether an IdP (openId provider e.g.) could ever be a trusted *user agen*t. Given what I understand of the market today, I guess that is not possible. Markets do, however, change. Some on the list speculate that the client (sink of user resources) could be a *user agent*. That is, at least, problematic, but conceivable. I, personally, would not conflate a client with a *user agent.* After all, the user agent has access to (at least some) user accessible resources. maybe you should just rename the as to be a *user agent.* Or at least state that the as is an endpoint of a user agent. BTW, for me a user is an identifier claiming to represent a human at a device. Whether they are the RO or a guardian is not of importance here. I know others have other definitions, sorry about that. Peace ..tom On Mon, Jul 20, 2020 at 12:30 PM Dick Hardt <dick.hardt@gmail.com> wrote: > Curious: How are you envisioning the client communicates to the AS if it > is on the User's phone? > ᐧ > > On Sun, Jul 19, 2020 at 9:13 PM Tom Jones <thomasclinganjones@gmail.com> > wrote: > >> Well, that might work for you. It won’t work for me. I put the as on the >> user’s phone. The source and sink of the data can switch roles on a >> millisecond basis. I will track your progress and adopt what I can. >> >> ..Tom's phone >> >> On Jul 19, 2020, at 1:45 PM, Dick Hardt <dick.hardt@gmail.com> wrote: >> >> >> Hi Tom >> >> The proposal is that Client asks for a claim from the AS, the user >> consents at the AS, and the AS directly releases the claim directly to the >> Client. No access token. No resource server. >> >> Simpler for Client and Grant Server (AS) >> >> >> >> >> >> >> On Sat, Jul 18, 2020 at 7:34 PM Tom Jones <thomasclinganjones@gmail.com> >> wrote: >> >>> absolutely, yes, tha az token can authorize any resource held by the >>> resource server. >>> The ONLY thing special about PII is the protection granted by the >>> various privacy laws. >>> >>> As an aside, I don't find much in the current discussion that gives me a >>> warm feeling about privacy. >>> The stuff in the torsten tokens is about as anti-privacy an effort as >>> exists today. >>> Identity assurance does NOT need to be enabled by sending more and yet >>> again more PII. >>> Peace ..tom >>> >>> >>> On Sat, Jul 18, 2020 at 5:58 PM Dick Hardt <dick.hardt@gmail.com> wrote: >>> >>>> Hey Tom >>>> >>>> While I think defining claims is out of scope of the WG, I think >>>> enabling a client to obtain claims about a user is in scope. >>>> Would you consider authorization for the release of claims to be part >>>> of the purpose of this WG? >>>> >>>> I'm concerned about the XYZ shift to subject identifiers from claims, >>>> and pushing claims to a higher layer, as it may indicate to developers that >>>> they can ONLY ask for a user identifier. >>>> >>>> When I think of a claim, I include any and all identifiers, but I also >>>> include user attributes such as under-13, over-21, >>>> student-at-an-accredited-school, resident of city/state/province/country. >>>> >>>> GNAP can enable a client to ask for only the claims it needs, >>>> preserving user privacy, and compliance with many privacy regulations. >>>> >>>> Would you agree? >>>> >>>> /Dick >>>> >>>> >>>> >>>> >>>> On Sat, Jul 18, 2020 at 9:56 AM Tom Jones <thomasclinganjones@gmail.com> >>>> wrote: >>>> >>>>> I agree with Justin's comment " what we should do, as we define GNAP >>>>> as a protocol, is focus on this one, limited slice of the identity space >>>>> and not spiral into others." >>>>> The title "Authorization" should rule the purposes of this group above >>>>> all else. >>>>> >>>>> The earlier statement that the client should know who the user is - is >>>>> just plain WRONG. The client should only know the information the user is >>>>> willing to share with the client. >>>>> It is now the law in California that the client cannot demand identity >>>>> information that is not required for a legitimate business purpose. >>>>> There are some clients that act as fiduciaries for the user >>>>> (financial and healthcare come to mind), but as a general rule the "client" >>>>> is not to be trusted by the user. >>>>> I understand most of the people on this list are paid by the client's >>>>> of the world, but you are still bound by the laws that apply to those >>>>> clients. >>>>> >>>>> Peace ..tom >>>>> >>>>> >>>>> On Mon, Jul 13, 2020 at 12:31 PM Justin Richer <jricher@mit.edu> >>>>> wrote: >>>>> >>>>>> A quick note, as my choice of language below seems to have been >>>>>> confusing. First there is a typo, where the word “it” should have been “in” >>>>>> to read: >>>>>> >>>>>> I am saying that GNAP, *in* its definition within this working >>>>>> group, should be limited to identifier claims. >>>>>> >>>>>> >>>>>> And second, there seems to be confusion around whether I’m trying to >>>>>> argue about the scope “allowed” by the charter by saying “its definition >>>>>> within this working group” here. >>>>>> >>>>>> To be clear, we as the working group are *defining* GNAP the >>>>>> protocol. It has not yet been defined, and that’s why were all here. The >>>>>> charter doesn’t define it. The input specs don’t define it. The working >>>>>> group defines it, and my stance as a contributor to this WG is that we >>>>>> should focus on a delegation protocol with some basic identifier query >>>>>> support and leave the full fledged identity protocol to different work. >>>>>> >>>>>> We’ve already got our hands full here without taking all of that on, >>>>>> especially since I do believe we need to build GNAP in such a way as to >>>>>> facilitate its extension in several known directions, including a full >>>>>> identity protocol. If we do things right here, we can see GNAP as the basis >>>>>> of a large number of things out there in the world. >>>>>> >>>>>> So my stance in what we should do, as we define GNAP as a protocol, >>>>>> is focus on this one, limited slice of the identity space and not spiral >>>>>> into others. >>>>>> >>>>>> — Justin >>>>>> >>>>>> On Jul 13, 2020, at 2:51 PM, Justin Richer <jricher@mit.edu> wrote: >>>>>> >>>>>> I am saying that GNAP, it its definition within this working group, >>>>>> should be limited to identifier claims. Other claims can come from other >>>>>> protocols properly layered on top of GNAP. GNAP shouldn’t stop them from >>>>>> being built, but in my opinion we shouldn’t be defining those here. See the >>>>>> discussion below on the extensibility avenues of this approach. >>>>>> >>>>>> — Justin >>>>>> >>>>>> On Jul 13, 2020, at 2:12 PM, Dick Hardt <dick.hardt@gmail.com> wrote: >>>>>> >>>>>> I agree that an API to return claims is useful. I think we have >>>>>> agreed on that. >>>>>> >>>>>> Using the SubjectIdentifiers schema is another schema that would be >>>>>> useful for GNAP to support. >>>>>> >>>>>> I disagree that GNAP should be limited to identifier claims. >>>>>> >>>>>> ᐧ >>>>>> >>>>>> On Mon, Jul 13, 2020 at 7:16 AM Justin Richer <jricher@mit.edu> >>>>>> wrote: >>>>>> >>>>>>> One thing I think we should learn from OIDC is that returning claims >>>>>>> from an API, and not just an assertion or direct response, is a powerful >>>>>>> and useful pattern. We have an opportunity to separate these cleanly, where >>>>>>> OIDC didn’t have the opportunity in defining the “claims” request parameter. >>>>>>> >>>>>>> As an alternative to the current XYZ and XAuth syntaxes, over the >>>>>>> weekend I’ve been playing with something that would look like this strawman >>>>>>> in the request: >>>>>>> >>>>>>> >>>>>>> { >>>>>>> subject: { >>>>>>> id: [ “account”, “email”, “iss-sub”], >>>>>>> assertion: [ “odic_id_token”, “verifiable_credential”, “saml" ] >>>>>>> } >>>>>>> } >>>>>>> >>>>>>> >>>>>>> This request says that I’d like some subset of these identifiers (as >>>>>>> plain text in the response) and some subset of signed assertions in the >>>>>>> given formats. Each one would have an associated space in the return. I’m >>>>>>> not picturing that the “id” field values would affect the contents of the >>>>>>> assertions: so I could ask for an email address identifier but get back an >>>>>>> ID token that had only the subject identifier. Maybe that’s not the right >>>>>>> model? But it’s at least simple and deterministic this way, and it’s >>>>>>> something to play with. >>>>>>> >>>>>>> Note: The “id” names are taken from >>>>>>> https://tools.ietf.org/id/draft-ietf-secevent-subject-identifiers-05.html, >>>>>>> the “assertion” names are made up as I didn’t see a source that collected >>>>>>> them. If you wanted specific bundles of claims about the user from a >>>>>>> UserInfoEndpoint, for example, you’d have something like: >>>>>>> >>>>>>> { >>>>>>> subject: { >>>>>>> id: [ “account”, “email”, “iss-sub”], >>>>>>> assertion: [ “odic_id_token”, “verifiable_credential”, “saml" ] >>>>>>> }, >>>>>>> resources: [{ >>>>>>> type: “userinfo”, >>>>>>> datatypes: [ “openid”, “profile”, “phone”, “email” ] >>>>>>> }] >>>>>>> } >>>>>>> >>>>>>> >>>>>>> This is an example for a specific kind of resource, and I don’t >>>>>>> think that GNAP should define the “userinfo” schema here, or the datatype >>>>>>> values therein. That should be work outside of GNAP, probably for the OIDF. >>>>>>> >>>>>>> This approach is extensible in several ways, each of them for a >>>>>>> specific reason that I think is clear: >>>>>>> >>>>>>> - new values in the “id” field to give new identifiers >>>>>>> - new values in the “assertion” field to give new assertion formats >>>>>>> - new fields under the “subject” heading >>>>>>> - new resource types besides “userinfo” (like “scim-v1” or >>>>>>> “facebook-profile” for instance) >>>>>>> - new datatypes within the “userinfo” resource type >>>>>>> - new top-level request parameters >>>>>>> >>>>>>> As per the other thread, if you wanted to use the OIDC query >>>>>>> language, you’d package it separately as a top-level request parameter >>>>>>> since it can include both the ID token response and the access token >>>>>>> response and we shouldn’t be encouraging mixing these things together. >>>>>>> >>>>>>> — Justin >>>>>>> >>>>>>> On Jul 10, 2020, at 5:00 PM, Dick Hardt <dick.hardt@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>> It looks to me that our different views of what is in scope for GNAP >>>>>>> are the differences below. >>>>>>> >>>>>>> Per the subject line, I'm looking at how the client acquires claims >>>>>>> about the user. You don't think that is in scope, and that a different >>>>>>> layer will solve that. >>>>>>> >>>>>>> I think we should learn from OIDC being on top of OAuth, and GNAP >>>>>>> should be able return ANY claim, not just identifier claims. There are use >>>>>>> cases that may be difficult to support if we do not have that functionality >>>>>>> in scope, such as some of the ones I list below, and it seems pretty >>>>>>> straightforward to support ANY claim if we are supporting identifiers. >>>>>>> >>>>>>> /Dick >>>>>>> >>>>>>> >>>>>>> On Fri, Jul 10, 2020 at 1:09 PM Justin Richer <jricher@mit.edu> >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Jul 10, 2020, at 2:15 PM, Dick Hardt <dick.hardt@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>> inline ... >>>>>>>> >>>>>>>> On Thu, Jul 9, 2020 at 5:44 PM Justin Richer <jricher@mit.edu> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Yes, the core idea is to not have to parse an assertion to get >>>>>>>>> back the core authentication information, which consists of an identifier >>>>>>>>> (iss/sub pair in OIDC, but could be a number of things). Sometimes the >>>>>>>>> client is going to want the rest of the identity information, but If the >>>>>>>>> user’s logged into the client before, the client has likely cached that >>>>>>>>> info and probably won’t need it, and sending it would be a violation of >>>>>>>>> privacy principles.. The client would want the info pretty much just in >>>>>>>>> these cases: >>>>>>>>> >>>>>>>>> 1. The client has never seen the user before. >>>>>>>>> 2. The user’s information has been updated since the last time >>>>>>>>> the client saw it. >>>>>>>>> >>>>>>>> >>>>>>>> Agreed >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> Now for case (1), how would the client know if it wants to request >>>>>>>>> the user’s profile info or not, since it doesn’t know who the user is? >>>>>>>>> >>>>>>>> >>>>>>>> But the client could know who the user is. The client may have used >>>>>>>> a different AS to authenticate the user. >>>>>>>> >>>>>>>> >>>>>>>> In these cases, the client is not going to be requesting identity >>>>>>>> information from the AS to log the user in, so it’s not relevant to the use >>>>>>>> case. The client will have an opportunity to push that information to the >>>>>>>> AS. >>>>>>>> >>>>>>>> The User may have self identified to the client. The client may >>>>>>>> have a cookie saying who the user was and the user said that was them. >>>>>>>> While the latter cases are really a strong hint, they are likely right most >>>>>>>> of the time and can lead to a user experience basde on that hint >>>>>>>> >>>>>>>> >>>>>>>> In these cases, the AS might be able to guess if the client has >>>>>>>> info about the user already, but probably not. And the assumptions fall >>>>>>>> apart if it’s in fact a different user that ends up logging in, which is of >>>>>>>> course possible (the hint you gave doesn’t match the identity of the >>>>>>>> current user after the AS validates them). This possibility leads to >>>>>>>> clients always asking for everything every time and the server providing >>>>>>>> everything every time. That’s a pattern I think we should avoid in an >>>>>>>> ultimate solution — but ultimately, I don’t think that this kind of >>>>>>>> protocol decision is inside of GNAP. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> And the AS won’t know if client is going to want the profile info, >>>>>>>>> since the AS won’t know if the client has the user’s info or not. Sure, the >>>>>>>>> AS might have seen that client and that user combo previously, but it >>>>>>>>> doesn’t know if the client needs an update. >>>>>>>>> >>>>>>>> >>>>>>>> The client can share with the AS the user it knows or thinks it is >>>>>>>> dealing with, which could let the AS respond if the information was new. >>>>>>>> This could be the case for an AS that is providing claims, but not >>>>>>>> authentication, and could happen silently. The user would only interact if >>>>>>>> the user information had changed, and the client wanted the updated >>>>>>>> information. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> See above. >>>>>>>> >>>>>>>> >>>>>>>>> And for (2), the client won’t know if the user’s info has been >>>>>>>>> updated or not because it doesn’t know who the user is yet. If the AS can >>>>>>>>> provide some time of updated stamp to the client, the client can pull the >>>>>>>>> new info when it needs it. >>>>>>>>> >>>>>>>> >>>>>>>> See above. >>>>>>>> >>>>>>>> >>>>>>>> See above. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> If you ignore both of these cases and put all the user information >>>>>>>>> inline with the main request/response, you end up in a situation where the >>>>>>>>> client always requests everything and the server always provides >>>>>>>>> everything, since you can’t be sure you’re not in situation (1) or (2) >>>>>>>>> ahead of time. >>>>>>>>> >>>>>>>> >>>>>>>> See above. There are a number of other states the client could be >>>>>>>> in. >>>>>>>> >>>>>>>> For example, the client could be stateless about user information, >>>>>>>> so it knows it is ALWAYS in state 1. >>>>>>>> >>>>>>>> >>>>>>>> A stateless client would need to fetch appropriate user information >>>>>>>> every time, then. But that’s an optimization for a very specific case. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> This is really what I mean about the two-stage identity protocol. >>>>>>>>> >>>>>>>> >>>>>>>> I know what it is. Per above, GNAP lets us support a wider set of >>>>>>>> use cases. Why limit ourselves to what OIDC supported? >>>>>>>> >>>>>>>> >>>>>>>> We aren’t limiting the protocol, but instead limiting the scope of >>>>>>>> what we define internal to the GNAP protocol. There’s a lot of room for >>>>>>>> innovation on top of it. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> In the first stage, you push the bare minimum of what you need to >>>>>>>>> get the user known to the client. In the second stage, the client uses its >>>>>>>>> access token to call an API to get whatever else it needs to know about the >>>>>>>>> user. >>>>>>>>> >>>>>>>> >>>>>>>> From a privacy perspective in non-enterprise use cases, I think the >>>>>>>> user should give consent to any updated personal information to a client. >>>>>>>> In general, the client should not be able to get the latest information >>>>>>>> about a user whenever it wants. >>>>>>>> >>>>>>>> >>>>>>>> This is about the rights associated with the access token, then. >>>>>>>> And an access token doesn’t have to keep working if the AS has a policy >>>>>>>> that says it won’t. The AS/RS could easily decide that a particular access >>>>>>>> token will only return data that hasn’t been changed. Maybe it stops >>>>>>>> working after the data changes, or it just returns old data, or any number >>>>>>>> of things. This is for the AS/RS to decide and this is pretty standard >>>>>>>> interpretation of the token, nothing special here because we’re dealing >>>>>>>> with identity. >>>>>>>> >>>>>>>> — Justin >>>>>>>> >>>>>>>> >>>>>>>> /Dick >>>>>>>> ᐧ >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> -- >>>>>> Txauth mailing list >>>>>> Txauth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>>> >>>>>> >>>>>> -- >>>>>> Txauth mailing list >>>>>> Txauth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>>> >>>>>
- [Txauth] JSON Schema? Dick Hardt
- Re: [Txauth] JSON Schema? Wayne Chang
- Re: [Txauth] JSON Schema? Justin Richer
- Re: [Txauth] JSON Schema? Justin Richer
- Re: [Txauth] JSON Schema? Dick Hardt
- Re: [Txauth] JSON Schema? Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] JSON Schema? Benjamin Kaduk
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Tom Jones
- Re: [Txauth] TLS Dependency Wayne Chang
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Stephen Moore
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Denis
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- [Txauth] XAuth "flaws" (Was: Polymorphism (Was: J… Dick Hardt
- [Txauth] acquiring claims (was Polymorphism (Was:… Dick Hardt
- [Txauth] WG scope wrt. identity (Was: Polymorphis… Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer
- Re: [Txauth] WG scope wrt. identity (Was: Polymor… Justin Richer
- Re: [Txauth] WG scope wrt. identity (Was: Polymor… Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] JSON Schema? Yaron Sheffer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Denis
- Re: [Txauth] WG scope wrt. identity (Was: Polymor… Leif Johansson
- Re: [Txauth] acquiring claims (was Polymorphism (… Tom Jones
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Tom Jones
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Tom Jones
- Re: [Txauth] acquiring claims (was Polymorphism (… Leif Johansson
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Tom Jones
- Re: [Txauth] acquiring claims (was Polymorphism (… Francis Pouatcha
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer