+1 - It will makes thinks much simpler. > Am 19.04.2018 um 00:58 schrieb Mike Jones <michael.jo...@microsoft.com>: > > I’m OK with this change, given it makes the OAuth suite of specs more > self-consistent. > > -- Mike > > From: OAuth <oauth-boun...@ietf.org> On Behalf Of Brian Campbell > Sent: Wednesday, April 18, 2018 8:17 AM > To: Torsten Lodderstedt <tors...@lodderstedt.net> > Cc: oauth <oauth@ietf.org> > Subject: Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12 > > The draft-ietf-oauth-token-exchange document makes use of scope and at some > point in that work it came to light that, despite the concept of scope being > used lots of places elsewhere, there was no officially registered JWT claim > for scope. As a result, we (the WG) decided to have > draft-ietf-oauth-token-exchange define and register a JWT claim for scope. > It's kind of an awkward place for it really but that's how it came to be > there. > > When I added it to the draft, I opted for the semi-convention of JWT using > three letter short claim names.. And decided to use a JSON array to convey > multiple values rather than space delimiting. It seemed like a good idea at > the time - more consistent with other JWT claim names and cleaner to use the > facilities of JSON rather than a delimited string. That was the thinking at > the time anyway and, as I recall, I asked the WG about doing it that way at > one of the meetings and there was general, if somewhat absent, nodding in the > room. > > Looking at this again in the context of the question from Torsten and his > developers, I think using a different name and syntax for the JWT claim vs.. > the Introspection response member/parameter/claim is probably a mistake. > While RFC 7662 Introspection response parameters aren't exactly the same as > JWT claims, they are similar in many respects. So giving consistent treatment > across them to something like scope is > > Therefore I propose that the JWT claim for representing scope in > draft-ietf-oauth-token-exchange be changed to be consistent with the > treatment of scope in RFC 7662 OAuth 2.0 Token Introspection. That > effectively means changing the name from "scp" to "scope" and the value from > a JSON array to a string delimited by spaces. > > I realize it's late in the process to make this change but believe doing so > will significantly reduce confusion and issues in the long run. > > > > > > > On Sun, Apr 15, 2018 at 10:43 AM, Torsten Lodderstedt > <tors...@lodderstedt.net <mailto:tors...@lodderstedt.net>> wrote: > Hi all, > > I I’m wondering why draft-ietf-oauth-token-exchange-12 defines a claim „scp“ > to carry scope values while RFC 7591 and RFC 7662 use a claim „scope“ for the > same purpose. As far as I understand the text, the intension is to represent > a list of RFC6749 scopes. Is this correct? What’s the rationale behind? > > Different claim names for representing scope values confuse people. I > realized that when one of our developers pointed out that difference > recently. > > best regards, > Torsten. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited.. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
