Thanks all! Section 8.13 of the framework is exactly what I was looking for, I don’t know how I did not see it. A bit surprised there is no text referencing it in the framework itself.
Also, about the “scope” claim registration: the claim description and the specification document give 2 different pointers. The claim description ref points to the description for JWT (JSON string etc), I think this should be adapted to using CBOR (writing a section in the ACE framework, which could then reference both pointers). Also minor, I would add the precise section of 6749 we should look at, which I assume is 3.3. Francesca From: Mike Jones <[email protected]> Date: Friday, 21 February 2020 at 19:45 To: Jim Schaad <[email protected]>, Francesca Palombini <[email protected]>, 'Seitz Ludwig' <[email protected]> Cc: Ace Wg <[email protected]> Subject: RE: [EXTERNAL] RE: Access token question And https://tools.ietf.org/html/rfc8693#section-7.4, which registers “scope” at https://www.iana.org/assignments/jwt/jwt.xhtml. -- Mike From: Jim Schaad <[email protected]> Sent: Friday, February 21, 2020 9:15 AM To: 'Francesca Palombini' <[email protected]>; 'Seitz Ludwig' <[email protected]>; Mike Jones <[email protected]> Cc: 'Ace Wg' <[email protected]> Subject: [EXTERNAL] RE: Access token question You are missing something https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-33#section-8.13<https://protect2.fireeye.com/v1/url?k=72002d7d-2ed426d6-72006de6-864b0d136b87-400f082a818228df&q=1&e=a5d76c10-357e-4834-9e8c-56996a757268&u=https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Ftools.ietf.org%252Fhtml%252Fdraft-ietf-ace-oauth-authz-33%2523section-8.13%26data%3D02%257C01%257CMichael.Jones%2540microsoft.com%257C41e26bbcdb7c4f902d7908d7b6f1a860%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637179021340478864%26sdata%3DbMozqI2BYqMAAViWLIIKzJBvQFa30eqKVHtqUiC3bH8%253D%26reserved%3D0> defined here From: Francesca Palombini <[email protected]<mailto:[email protected]>> Sent: Friday, February 21, 2020 4:37 AM To: Seitz Ludwig <[email protected]<mailto:[email protected]>>; Mike Jones <[email protected]<mailto:[email protected]>>; Jim Schaad <[email protected]<mailto:[email protected]>> Cc: Ace Wg <[email protected]<mailto:[email protected]>> Subject: Access token question Hi, Quick question regarding access token and scope. I know that “scope” semantics is left to the application to define, but in general I would expect to include there some information about resource and method/operations allowed on that resource. Please correct me if any of this is not exact. It was my understanding that “scope” (or more precisely the “scope” value) defined for the Client-AS request and response should be included in the access token as well. Checking in CWT, there is no such “scope” claim defined. “aud” claim is indeed defined for the CWT, but that should correspond to “aud” parameter in the ACE request/response. So where do I put the exact resource and operations in the access token? What am I missing? Francesca
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
