Hi Vittorio,
I raised the following question:
In the future, if additional parameters are included in the request,
will the "sub" claim necessarily be present in the access token ?
The answer to this question does not seem to be present in the draft.
Would you be able to provide an answer ?
Denis
Denis, the change you mentioned is basically a typo, which I did fix
but did not publish a new draft for- that doesn’t change the substance
of the consensus (and is something that will be fixed in the
subsequent phases of the process).
Whether the sub should be mandatory has been discussed for two reasons:
- as a way of distinguishing whether the token was obtained on behalf
of a user or an application identity, by omitting it in the latter
case. We had extensive discussions following IETF105 and concluded
that not enough people were interested in that scenario. I kept that
discussion open for a long time.
- for privacy concerns. Those has been debated and your position
failed to gather momentum.
Some of the recent discussions on sub didn’t pick up on the
discussions above and didn’t bring new arguments that weren’t already
debated. Nonetheless I did my best to provide context and pointer to
the past discussions when answering the concerns. In other words,
those discussions didn’t appear to change the consensus achieved on
the matter. We have 3 last calls, I don’t think the chairs changed the
status of the document lightly.
On Thu, May 14, 2020 at 07:29 Denis <denis.i...@free.fr
<mailto:denis.i...@free.fr>> wrote:
The current version of this draft is
"draft-ietf-oauth-access-token-jwt-07" issued on April the 27 th.
This means that comments sent later on on the list have not been
incorporated in this draft.
In particular, this one sent on April the 28 th:
*1) *The title of this spec. is:
JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
So, this spec. is supposed to be targeted to OAuth *2.0. *
However, the header at the top of the page omits to mention it.
Currently, it is :
Internet-Draft OAuth Access Token JWT Profile April 2020
It should rather be:
Internet-Draft OAuth *2.0* Access Token JWT Profile
April 2020
It has been acknowledged by Vittorio on April, the 29 th:
/> The title of this spec./
Fixed, thanks!
This means that the draft document currently available on the IETF
server is not reflecting the agreed comments.
Since then, I questioned myself how a client would be able to
request an access token that would be
*strictly compliant with this Profile*.
For doing this exercise, I took a look at section 3 on pages 6 to
8. To summarize my findings:
* the request MAY include a "resource" parameter. If the request
does not include a "resource" parameter,
the authorization server MUST use in the "aud" claim a default
resource indicator.
* the request MAY include "scope" parameter. If a "scope"
parameter is present in the request,
the authorization server SHOULD use it to infer the value of
the default resource indicator to be used in the "aud" claim.
It seems to mean that if the request includes no "resource"
parameter and no "scope" parameter, the access token will necessarily
include the "sub" claim.
If in the request, there would be present a parameter meaning "I
want a token compliant with *this OAuth 2.0 profile*",
then there would be no problem, but this is not the case.
In the future, if additional parameters are included in the
request, will the "sub" claim necessarily be present in the access
token ?
If yes, this may be a privacy concern.
On the list there have been requirements for not making the "sub"
parameter mandatory.
This point needs to be addressed and solved one way or another.
Denis
All,
Based on the 3rd WGLC, we believe that we have consensus to move
this document forward.
https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/
We will be working on the shepherd write-up and then submit the
document to the IESG soon.
Regards,
Rifaat & Hannes
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
