Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12

[Mike Jones]

I’m OK with this change, given it makes the OAuth suite of specs more 
self-consistent.

   -- Mike

From: OAuth  On Behalf Of Brian Campbell
Sent: Wednesday, April 18, 2018 8:17 AM
To: Torsten Lodderstedt 
Cc: oauth 
Subject: Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12

The draft-ietf-oauth-token-exchange document makes use of scope and at some 
point in that work it came to light that, despite the concept of scope being 
used lots of places elsewhere, there was no officially registered JWT claim for 
scope. As a result, we (the WG) decided to have draft-ietf-oauth-token-exchange 
define and register a JWT claim for scope. It's kind of an awkward place for it 
really but that's how it came to be there.
When I added it to the draft, I opted for the semi-convention of JWT using 
three letter short claim names.. And decided to use a JSON array to convey 
multiple values rather than space delimiting. It seemed like a good idea at the 
time - more consistent with other JWT claim names and cleaner to use the 
facilities of JSON rather than a delimited string. That was the thinking at the 
time anyway and, as I recall, I asked the WG about doing it that way at one of 
the meetings and there was general, if somewhat absent, nodding in the room.
Looking at this again in the context of the question from Torsten and his 
developers, I think using a different name and syntax for the JWT claim vs.. 
the Introspection response member/parameter/claim is probably a mistake.  While 
RFC 7662 Introspection response parameters aren't exactly the same as JWT 
claims, they are similar in many respects. So giving consistent treatment 
across them to something like scope is
Therefore I propose that the JWT claim for representing scope in 
draft-ietf-oauth-token-exchange be changed to be consistent with the treatment 
of scope in RFC 7662 OAuth 2.0 Token Introspection. That effectively means 
changing the name from "scp" to "scope" and the value from a JSON array to a 
string delimited by spaces.
I realize it's late in the process to make this change but believe doing so 
will significantly reduce confusion and issues in the long run.





On Sun, Apr 15, 2018 at 10:43 AM, Torsten Lodderstedt 
> wrote:
Hi all,

I I’m wondering why draft-ietf-oauth-token-exchange-12 defines a claim „scp“ to 
carry scope values while RFC 7591 and RFC 7662 use a claim „scope“ for the same 
purpose. As far as I understand the text, the intension is to represent a list 
of RFC6749 scopes. Is this correct? What’s the rationale behind?

Different claim names for representing scope values confuse people. I realized 
that when one of our developers pointed out that difference recently.

best regards,
Torsten.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited..  If you have 
received this communication in error, please notify the sender immediately by 
e-mail and delete the message and any file attachments from your computer. 
Thank you.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Followup on draft-ietf-oauth-token-exchange-12.txt

[Brian Campbell]

Eric, I realize you weren't particularly impressed by my prior statements
about the actor claim but, for lack of knowing what else to say, I'm going
to kind of repeat what I said about it over in the Phabricator tool
 and add a
little color.

The actor claim is intended as a way to express that delegation has
happened and identify the entities involved. Access control or other
decisions based on it are at the discretion of the consumer of the token
based on whatever policy might be in place.

There are JWT claims that have concise processing rules with respect to
whether or not the JWT can be accepted as valid. Some examples are "aud"
(Audience), "exp" (Expiration Time), and "nbf" (Not Before) from RFC 7519.
E.g. if the token is expired or was intended for someone or something else,
reject it.

And there are JWT claims that appropriately don't specify such processing
rules and are solely statements of fact or circumstance. Also from RFC
7519, the "sub" (Subject) and "iat" (Issued At) claims are good examples of
such. There might be application or policy specific rules applied to the
content of those kinds of claims (e.g. only subjects from a particular
organization are able to access tenant specific data or, less realistic but
still possible, disallow access for tokens issued outside of regular
business hours) but that's all outside the scope of a specification's
definition of the claim.

The actor claim falls into the latter category. It's a way for the issuer
of the token to tell the consumer of the token what is going on. But any
action to take (or not) based on that information is at the discretion of
the token consumer. I honestly don't know it could be anything more. And
don't think it should be.

There are two main expected uses of the actor claim (that I'm aware of
anyway) that describing here might help. Maybe. One is a human to human
delegation case like a customer service rep doing something on behalf of an
end user. The subject would be that user and the actor would be the
customer service rep. And there wouldn't be any chaining or nesting of the
actor. The other case is so called service chaining where a system might
exchange a token it receives for a new token that it can use to call a
downstream service. And that service in turn might do another exchange to
get a new token suitable to call yet another downstream service. And again
and so on and turtles all the way. I'm not necessarily endorsing that level
of granularity in chaining but it's bound to happen somewhere/sometime. The
nested actor claim is able to express that all that has happened with the
top level or outermost one being the system currently using the token and
prior systems being nested. What actually gets done with that information
is up to the respective systems involved. There might be policy about what
system is allowed to call what other system that is enforced. Or maybe the
info is just written to an audit log somewhere. Or something else. I don't
know. But whatever it is application/deployment/policy dependent and not
specifiable by a spec.






On Fri, Apr 13, 2018 at 6:38 PM, Eric Rescorla  wrote:

> Hi folks,
>
> I've gone over draft-ietf-oauth-token-exchange-12 and things seem
> generally OK. I do still have one remaining concern, which is about
> the actor claim. Specifically, what is the RP supposed to do when they
> encounter it? This seems kind of underspecified.
>
> In particular:
>
> 1. What facts am I supposed to know here? Merely that everyone in
>the chain signed off on the next person in the chain acting as them?
>
> 2. Am I just supposed to pretend that the person presenting the token
>is the identity at the top of the chain? Say I have the
>delegation A -> B -> C, and there is some resource which
>B can access but A and C cannot, should I give access?
>
> I think the first question definitely needs an answer. The second
> question I guess we could make not answer, but it's pretty hard
> to know how to make a system with this left open..
>
> -Ekr
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for agenda items

[Dick Hardt]

I think it would be useful if we had a draft and we wanted to accelerate
next steps, which may have been what would have happened in the last interm
meeting. But it was not, it was clear there was not consensus on the
problem, so I'm hoping Nat, Brian and myself can get consensus, and then
bring that back to the WG.

I'll take an action item to coordinate with Nat and Brian.

Anyone else interested in participating is also welcome to join!


On Wed, Apr 18, 2018 at 12:44 PM, Hannes Tschofenig <
hannes.tschofe...@arm.com> wrote:

> Rifaat and I are also OK with not having to organize a conference call on
> that topic if you and the group think that no such meeting is necessary.
>
>
>
> *From:* Dick Hardt [mailto:dick.ha...@gmail.com]
> *Sent:* 18 April 2018 16:29
>
> *To:* Hannes Tschofenig
> *Cc:* n-sakimura; oauth
> *Subject:* Re: [OAUTH-WG] Call for agenda items
>
>
>
> The last interm meeting was not very productive. The value I got was that
> it would be useful to see if Nat, Brian and I could coalesce.
>
>
>
> On Wed, Apr 18, 2018 at 7:21 AM Hannes Tschofenig <
> hannes.tschofe...@arm.com> wrote:
>
> Hi Dick,
>
>
>
> The value of a conference call as part of the OAuth working group is that
> you involve other interested parties to the discussion, and that you do not
> have to repeat your private conversations later again on the mailing list..
>
> That’s pretty convincing to me ;-)
>
>
>
> Ciao
>
> Hannes
>
>
>
>
>
> *From:* Dick Hardt [mailto:dick.ha...@gmail.com]
> *Sent:* 18 April 2018 16:15
> *To:* Hannes Tschofenig
> *Cc:* n-sakimura; oauth
>
>
> *Subject:* Re: [OAUTH-WG] Call for agenda items
>
>
>
> F2F side/author meeting at Montreal
>
> Ad hock author meeting call prior
>
>
>
> Unclear to me the value of a WG intern meeting
>
>
>
> On Wed, Apr 18, 2018 at 3:59 AM Hannes Tschofenig <
> hannes.tschofe...@arm.com> wrote:
>
> Hey guys,
>
>
>
> I am trying to find out what you are planning here.
>
>
>
> Are you talking about scheduling a side meeting at the next IETF meeting
> or a f2f meeting somewhere else?
>
>
>
> Rifaat and I had promised to schedule a conference call (virtual interim
> meeting) about distributed OAuth and we are targeting May. While holding a
> f2f interim meeting for OAuth is possible we have not discussed this so
> far.
>
>
>
> Ciao
> Hannes
>
>
>
> *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *n-sakimura
> *Sent:* 18 April 2018 07:34
> *To:* Dick Hardt; n-sakimura
> *Cc:* oauth
>
>
> *Subject:* Re: [OAUTH-WG] Call for agenda items
>
>
>
> I support the idea. Adding to it, perhaps we can do an ad-hoc before
> Montreal so that we can come up with a combined draft.
>
>
>
> Nat Sakimura
>
> --
>
> PLEASE READ: This e-mail is confidential and intended for the named
> recipient only. If you are not an intended recipient, please notify the
> sender and delete this e-mail.
>
>
>
>
>
>
>
>
> --
>
> *差出人**:* Dick Hardt 
> *送信日時**:* 2018年4月18日 0:40:20
> *宛先**:* n-sakimura
> *CC:* Rifaat Shekh-Yusef; oauth
> *件名**:* Re: [OAUTH-WG] Call for agenda items
>
>
>
> **
> 本メールはフリーメールから届いています。標的型攻撃メールはフリーメ
> ールから届くことがありますのでご注意ください。身に覚えのないメール
> であれば添付ファイルやURLを開かず、以下に掲載されている手順に従っ
> て対応をお願いします。
>
> 共有情報>情報セキュリティトピックス>怪しいメールが届いたら
> または、
> NRI Group Security Portal>情報セキュリティトピックス
> >怪しいメールが届いたら
> **
>
> I'd like to coordinate a side meeting with Nat, Brian, myself and other
> interested parties in Montreal to discuss Distributed OAuth.
>
>
>
> If we have two meetings, I'd like a timeslot in the second to summarize
> the side meeting and discuss next steps (if any).
>
>
>
> Separately, I'd like a time slot for an update on Reciprocal OAuth.
>
>
>
> On Wed, Mar 7, 2018 at 5:52 PM, n-sakimura  wrote:
>
> No, not really. I was thinking of more informal thing. The session is
> supposed to be Wednesday afternoon, so I was thinking that it might be a
> good idea to do a bit of recap among contributors to draw up a battle plan
> towards IETF 102.
>
>
>
> Nat
>
>
>
> *From:* Rifaat Shekh-Yusef [mailto:rifaat.i...@gmail.com]
> *Sent:* Wednesday, March 07, 2018 9:22 PM
> *To:* n-sakimura 
> *Cc:* Brian Campbell ; oauth 
>
>
> *Subject:* Re: [OAUTH-WG] Call for agenda items
>
>
>
> Nat,
>
>
>
> Are you asking for an interim meeting?
>
> We could schedule the Distributed OAuth discussion for the Wednesday
> meeting; that will give you guys sometime to discuss these face-to-face in
> London.
>
>
>
> Regards,
>
>  Rifaat
>
>
>
>
>
>
>
> On Wed, Mar 7, 2018 at 2:00 AM, n-sakimura  wrote:
>
> Then let us do it. We need to put all the proposals on the table and
> strategize the design.
>
> Perhaps we need a side meeting as well.
>
>
>
> nat
>
>
>
> *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Brian
> 

Re: [OAUTH-WG] Call for agenda items

[Hannes Tschofenig]

Rifaat and I are also OK with not having to organize a conference call on that 
topic if you and the group think that no such meeting is necessary.

From: Dick Hardt [mailto:dick.ha...@gmail.com]
Sent: 18 April 2018 16:29
To: Hannes Tschofenig
Cc: n-sakimura; oauth
Subject: Re: [OAUTH-WG] Call for agenda items

The last interm meeting was not very productive. The value I got was that it 
would be useful to see if Nat, Brian and I could coalesce.

On Wed, Apr 18, 2018 at 7:21 AM Hannes Tschofenig 
> wrote:
Hi Dick,

The value of a conference call as part of the OAuth working group is that you 
involve other interested parties to the discussion, and that you do not have to 
repeat your private conversations later again on the mailing list.
That’s pretty convincing to me ;-)

Ciao
Hannes


From: Dick Hardt [mailto:dick.ha...@gmail.com]
Sent: 18 April 2018 16:15
To: Hannes Tschofenig
Cc: n-sakimura; oauth

Subject: Re: [OAUTH-WG] Call for agenda items

F2F side/author meeting at Montreal
Ad hock author meeting call prior

Unclear to me the value of a WG intern meeting

On Wed, Apr 18, 2018 at 3:59 AM Hannes Tschofenig 
> wrote:
Hey guys,

I am trying to find out what you are planning here.

Are you talking about scheduling a side meeting at the next IETF meeting or a 
f2f meeting somewhere else?

Rifaat and I had promised to schedule a conference call (virtual interim 
meeting) about distributed OAuth and we are targeting May. While holding a f2f 
interim meeting for OAuth is possible we have not discussed this so far.

Ciao
Hannes

From: OAuth [mailto:oauth-boun...@ietf.org] On 
Behalf Of n-sakimura
Sent: 18 April 2018 07:34
To: Dick Hardt; n-sakimura
Cc: oauth

Subject: Re: [OAUTH-WG] Call for agenda items


I support the idea. Adding to it, perhaps we can do an ad-hoc before Montreal 
so that we can come up with a combined draft.


Nat Sakimura
--
PLEASE READ: This e-mail is confidential and intended for the named recipient 
only. If you are not an intended recipient, please notify the sender and delete 
this e-mail.







差出人: Dick Hardt >
送信日時: 2018年4月18日 0:40:20
宛先: n-sakimura
CC: Rifaat Shekh-Yusef; oauth
件名: Re: [OAUTH-WG] Call for agenda items

**
本メールはフリーメールから届いています。標的型攻撃メールはフリーメ
ールから届くことがありますのでご注意ください。身に覚えのないメール
であれば添付ファイルやURLを開かず、以下に掲載されている手順に従っ
て対応をお願いします。

共有情報>情報セキュリティトピックス>怪しいメールが届いたら
または、
NRI Group Security Portal>情報セキュリティトピックス
>怪しいメールが届いたら
**
I'd like to coordinate a side meeting with Nat, Brian, myself and other 
interested parties in Montreal to discuss Distributed OAuth.

If we have two meetings, I'd like a timeslot in the second to summarize the 
side meeting and discuss next steps (if any).

Separately, I'd like a time slot for an update on Reciprocal OAuth.

On Wed, Mar 7, 2018 at 5:52 PM, n-sakimura 
> wrote:

No, not really. I was thinking of more informal thing. The session is supposed 
to be Wednesday afternoon, so I was thinking that it might be a good idea to do 
a bit of recap among contributors to draw up a battle plan towards IETF 102.



Nat



From: Rifaat Shekh-Yusef 
[mailto:rifaat.i...@gmail.com]
Sent: Wednesday, March 07, 2018 9:22 PM
To: n-sakimura >
Cc: Brian Campbell 
>; oauth 
>

Subject: Re: [OAUTH-WG] Call for agenda items



Nat,



Are you asking for an interim meeting?

We could schedule the Distributed OAuth discussion for the Wednesday meeting; 
that will give you guys sometime to discuss these face-to-face in London.



Regards,

 Rifaat







On Wed, Mar 7, 2018 at 2:00 AM, n-sakimura 
> wrote:

Then let us do it. We need to put all the proposals on the table and strategize 
the design.

Perhaps we need a side meeting as well.



nat



From: OAuth [mailto:oauth-boun...@ietf.org] On 
Behalf Of Brian Campbell
Sent: Wednesday, March 07, 2018 1:31 AM
To: Rifaat Shekh-Yusef >
Cc: oauth >
Subject: Re: [OAUTH-WG] Call for agenda items



I hadn't previously been planning on it but am happy to do so.



On Tue, Mar 6, 2018 at 8:22 AM, Rifaat Shekh-Yusef 
> wrote:

Nat,



During the interim meeting, 3 drafts mentioned in the context of Distributed 
OAuth:

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Incremental Authorization

[Richard Backman, Annabelle]

I support adoption of OAuth 2.0 Incremental Authorization as a WG document.

--
Annabelle Richard Backman
Amazon – Identity Services

From: OAuth  on behalf of Brian Campbell 

Date: Wednesday, April 18, 2018 at 8:23 AM
To: Rifaat Shekh-Yusef 
Cc: oauth 
Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Incremental Authorization

I support adoption of OAuth 2.0 Incremental Authorization as a WG document.

On Mon, Apr 16, 2018 at 8:47 AM, Rifaat Shekh-Yusef 
> wrote:
All,

We would like to get a confirmation on the mailing list for the adoption of the 
OAuth 2.0 Incremental Authorization as a WG document
https://datatracker.ietf.org/doc/draft-wdenniss-oauth-incremental-auth/

Please, let us know if you support or object to the adoption of this document.

Regards,
 Rifaat & Hannes


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited..  If you have 
received this communication in error, please notify the sender immediately by 
e-mail and delete the message and any file attachments from your computer. 
Thank you.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-mtls-07

[Brian Campbell]

Thanks for the text, Neil. And the nit on the text, Ben. I'll include it in
the next draft.

Ben, bit of a procedural question for you: can or should I include those
references (https://www.cryptologie.net/article/374/common-x509-certificate-
validationcreation-pitfalls/ & http://www.cs.utexas.edu/~
shmat/shmat_ccs12.pdf) that Neil had with the text in the draft as
informational? Or? I'm honestly not sure if it's okay to cite a blog post
or university paper.







On Tue, Apr 17, 2018 at 8:13 AM, Benjamin Kaduk  wrote:

> Picking nits, but maybe "established and well-tested X.509 library
> (such as one used by an established TLS library)", noting that TLS
> 1.3 has added a new protocol feature that allows for TLS and X.509
> library capabilities to be separately indicated (as would be needed
> if they were organizationally separate).
>
> -Ben
>
> On Tue, Apr 17, 2018 at 10:48:04AM +0100, Neil Madden wrote:
> > OK, here’s a stab at a new security considerations section on X..509
> parsing and validation:
> >
> > ---
> > 5.3 X.509 Certificate Parsing and Validation Complexity
> >
> > Parsing and validation of X.509 certificates and certificate chains is
> complex and implementation mistakes have previously exposed security
> vulnerabilities. Complexities of validation include (but are not limited
> to) [1][2][3]:
> > - checking of Basic Constraints, basic and extended Key Usage
> constraints, validity periods, and critical extensions;
> > - handling of null-terminator bytes and non-canonical string
> representations in subject names;
> > - handling of wildcard patterns in subject names;
> > - recursive verification of certificate chains and checking certificate
> revocation.
> > For these reasons, implementors SHOULD use an established and
> well-tested TLS library for validation of X.509 certificate chains and
> SHOULD NOT attempt to write their own X.509 certificate validation
> procedures.
> >
> > [1] https://www.cryptologie.net/article/374/common-x509-certificate-
> validationcreation-pitfalls/  article/374/common-x509-certificate-validationcreation-pitfalls/>
> > [2] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf <
> http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf>
> > [3] https://tools.ietf.org/html/rfc5280  rfc5280>
> >
> > ---
> >
> > NB - this blog post [1] is the best concise summary of attacks I could
> find. Most of these attacks have been published as Black Hat talks and I
> can’t seem to find definitive references or good survey papers (beyond [2],
> which is a little older).
> >
> > Let me know what you think,
> >
> > Neil
> >
> >
> > > On 12 Apr 2018, at 20:42, Brian Campbell 
> wrote:
> > >
> > > Thanks Neil.
> > >
> > > Other than the potential metadata changes, which I'd like more WG
> input on and may raise in a new thread, I think I've got enough to make
> updates addressing your comments.  But please do send text for that
> Security Considerations bit, if you come up with something.
> > >
> > > On Thu, Apr 12, 2018 at 3:03 AM, Neil Madden <
> neil.mad...@forgerock.com > wrote:
> > > Hi Brian,
> > >
> > > Thanks for the detailed responses. Comments in line below (marked with
> ***).
> > >
> > > Neil
> > >
> > > On Wednesday, Apr 11, 2018 at 9:47 pm, Brian Campbell <
> bcampb...@pingidentity.com > wrote:
> > > Thanks for the review and feedback, Neil. I apologize for my being
> slow to respond. As I said to Justin recently <
> https://mailarchive.ietf.org/arch/msg/oauth/cNmk8fSuxp37L-z8Rvr6_EnyCug>,
> I've been away from things for a while. Also there's a lot here to get
> through so took me some time.
> > >
> > > It looks like John touched on some of your comments but not all. I'll
> try and reply to them as best I can inline below.
> > >
> > >
> > > On Thu, Mar 29, 2018 at 9:18 AM, Neil Madden <
> neil.mad...@forgerock.com > wrote:
> > > Hi,
> > >
> > > I have reviewed this draft and have a number of comments, below.
> ForgeRock have not yet implemented this draft, but there is interest in
> implementing it at some point. (Disclaimer: We have no firm commitments on
> this at the moment, I do not speak for ForgeRock, etc).
> > >
> > > 1. https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-3.1 <
> https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-3.1> defines
> a new confirmation method “x5t#S256”. However, there is already a
> confirmation method “jwk” that can contain a JSON Web Key, which itself can
> contain a “x5t#S526” claim with exactly the same syntax and semantics. The
> draft proposes:
> > >
> > > { “cnf”: { “x5t#S256”: “…” } }
> > >
> > > but you can already do:
> > >
> > > { “cnf”: { “jwk”: { … , “x5t#S256”: “…” } } }
> > >
> > > If the 

Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Incremental Authorization

[Brian Campbell]

I support adoption of OAuth 2.0 Incremental Authorization as a WG document.

On Mon, Apr 16, 2018 at 8:47 AM, Rifaat Shekh-Yusef 
wrote:

> All,
>
> We would like to get a confirmation on the mailing list for the adoption of
> the *OAuth 2.0 Incremental Authorization* as a WG document
> https://datatracker.ietf.org/doc/draft-wdenniss-oauth-incremental-auth/
>
> Please, let us know if you support or object to the adoption of this
> document.
>
> Regards,
>  Rifaat & Hannes
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] scp claim in draft-ietf-oauth-token-exchange-12

[Brian Campbell]

The draft-ietf-oauth-token-exchange document makes use of scope and at some
point in that work it came to light that, despite the concept of scope
being used lots of places elsewhere, there was no officially registered JWT
claim for scope. As a result, we (the WG) decided to have
draft-ietf-oauth-token-exchange define and register a JWT claim for scope.
It's kind of an awkward place for it really but that's how it came to be
there.

When I added it to the draft, I opted for the semi-convention of JWT using
three letter short claim names. And decided to use a JSON array to convey
multiple values rather than space delimiting. It seemed like a good idea at
the time - more consistent with other JWT claim names and cleaner to use
the facilities of JSON rather than a delimited string. That was the
thinking at the time anyway and, as I recall, I asked the WG about doing it
that way at one of the meetings and there was general, if somewhat absent,
nodding in the room.

Looking at this again in the context of the question from Torsten and his
developers, I think using a different name and syntax for the JWT claim vs.
the Introspection response member/parameter/claim is probably a mistake.
While RFC 7662 Introspection response parameters aren't exactly the same as
JWT claims, they are similar in many respects. So giving consistent
treatment across them to something like scope is

Therefore I propose that the JWT claim for representing scope in
draft-ietf-oauth-token-exchange be changed to be consistent with the
treatment of scope in RFC 7662 OAuth 2.0 Token Introspection. That
effectively means changing the name from "scp" to "scope" and the value
from a JSON array to a string delimited by spaces.

I realize it's late in the process to make this change but believe doing so
will significantly reduce confusion and issues in the long run.






On Sun, Apr 15, 2018 at 10:43 AM, Torsten Lodderstedt <
tors...@lodderstedt.net> wrote:

> Hi all,
>
> I I’m wondering why draft-ietf-oauth-token-exchange-12 defines a claim
> „scp“ to carry scope values while RFC 7591 and RFC 7662 use a claim „scope“
> for the same purpose. As far as I understand the text, the intension is to
> represent a list of RFC6749 scopes. Is this correct? What’s the rationale
> behind?
>
> Different claim names for representing scope values confuse people. I
> realized that when one of our developers pointed out that difference
> recently.
>
> best regards,
> Torsten.
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for agenda items

[Dick Hardt]

The last interm meeting was not very productive. The value I got was that
it would be useful to see if Nat, Brian and I could coalesce.

On Wed, Apr 18, 2018 at 7:21 AM Hannes Tschofenig 
wrote:

> Hi Dick,
>
>
>
> The value of a conference call as part of the OAuth working group is that
> you involve other interested parties to the discussion, and that you do not
> have to repeat your private conversations later again on the mailing list..
>
> That’s pretty convincing to me ;-)
>
>
>
> Ciao
>
> Hannes
>
>
>
>
>
> *From:* Dick Hardt [mailto:dick.ha...@gmail.com]
> *Sent:* 18 April 2018 16:15
> *To:* Hannes Tschofenig
> *Cc:* n-sakimura; oauth
>
>
> *Subject:* Re: [OAUTH-WG] Call for agenda items
>
>
>
> F2F side/author meeting at Montreal
>
> Ad hock author meeting call prior
>
>
>
> Unclear to me the value of a WG intern meeting
>
>
>
> On Wed, Apr 18, 2018 at 3:59 AM Hannes Tschofenig <
> hannes.tschofe...@arm.com> wrote:
>
> Hey guys,
>
>
>
> I am trying to find out what you are planning here.
>
>
>
> Are you talking about scheduling a side meeting at the next IETF meeting
> or a f2f meeting somewhere else?
>
>
>
> Rifaat and I had promised to schedule a conference call (virtual interim
> meeting) about distributed OAuth and we are targeting May. While holding a
> f2f interim meeting for OAuth is possible we have not discussed this so
> far.
>
>
>
> Ciao
> Hannes
>
>
>
> *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *n-sakimura
> *Sent:* 18 April 2018 07:34
> *To:* Dick Hardt; n-sakimura
> *Cc:* oauth
>
>
> *Subject:* Re: [OAUTH-WG] Call for agenda items
>
>
>
> I support the idea. Adding to it, perhaps we can do an ad-hoc before
> Montreal so that we can come up with a combined draft.
>
>
>
> Nat Sakimura
>
> --
>
> PLEASE READ: This e-mail is confidential and intended for the named
> recipient only. If you are not an intended recipient, please notify the
> sender and delete this e-mail.
>
>
>
>
>
>
>
>
> --
>
> *差出人**:* Dick Hardt 
> *送信日時**:* 2018年4月18日 0:40:20
> *宛先**:* n-sakimura
> *CC:* Rifaat Shekh-Yusef; oauth
> *件名**:* Re: [OAUTH-WG] Call for agenda items
>
>
>
> **
> 本メールはフリーメールから届いています。標的型攻撃メールはフリーメ
> ールから届くことがありますのでご注意ください。身に覚えのないメール
> であれば添付ファイルやURLを開かず、以下に掲載されている手順に従っ
> て対応をお願いします。
>
> 共有情報>情報セキュリティトピックス>怪しいメールが届いたら
> または、
> NRI Group Security Portal>情報セキュリティトピックス
> >怪しいメールが届いたら
> **
>
> I'd like to coordinate a side meeting with Nat, Brian, myself and other
> interested parties in Montreal to discuss Distributed OAuth.
>
>
>
> If we have two meetings, I'd like a timeslot in the second to summarize
> the side meeting and discuss next steps (if any).
>
>
>
> Separately, I'd like a time slot for an update on Reciprocal OAuth.
>
>
>
> On Wed, Mar 7, 2018 at 5:52 PM, n-sakimura  wrote:
>
> No, not really. I was thinking of more informal thing. The session is
> supposed to be Wednesday afternoon, so I was thinking that it might be a
> good idea to do a bit of recap among contributors to draw up a battle plan
> towards IETF 102.
>
>
>
> Nat
>
>
>
> *From:* Rifaat Shekh-Yusef [mailto:rifaat.i...@gmail.com]
> *Sent:* Wednesday, March 07, 2018 9:22 PM
> *To:* n-sakimura 
> *Cc:* Brian Campbell ; oauth 
>
>
> *Subject:* Re: [OAUTH-WG] Call for agenda items
>
>
>
> Nat,
>
>
>
> Are you asking for an interim meeting?
>
> We could schedule the Distributed OAuth discussion for the Wednesday
> meeting; that will give you guys sometime to discuss these face-to-face in
> London.
>
>
>
> Regards,
>
>  Rifaat
>
>
>
>
>
>
>
> On Wed, Mar 7, 2018 at 2:00 AM, n-sakimura  wrote:
>
> Then let us do it. We need to put all the proposals on the table and
> strategize the design.
>
> Perhaps we need a side meeting as well.
>
>
>
> nat
>
>
>
> *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Brian
> Campbell
> *Sent:* Wednesday, March 07, 2018 1:31 AM
> *To:* Rifaat Shekh-Yusef 
> *Cc:* oauth 
> *Subject:* Re: [OAUTH-WG] Call for agenda items
>
>
>
> I hadn't previously been planning on it but am happy to do so.
>
>
>
> On Tue, Mar 6, 2018 at 8:22 AM, Rifaat Shekh-Yusef 
> wrote:
>
> Nat,
>
>
>
> During the interim meeting, 3 drafts mentioned in the context of *Distributed
> OAuth*:
>
>
>
> https://tools.ietf.org/html/draft-sakimura-oauth-meta-08
> 
>
> https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-02
> 
>
> https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
> 
>
>
>
>
>
> *Brian, Hannes,*
>
>

Re: [OAUTH-WG] Call for agenda items

[Hannes Tschofenig]

Hi Dick,

The value of a conference call as part of the OAuth working group is that you 
involve other interested parties to the discussion, and that you do not have to 
repeat your private conversations later again on the mailing list.
That’s pretty convincing to me ;-)

Ciao
Hannes


From: Dick Hardt [mailto:dick.ha...@gmail.com]
Sent: 18 April 2018 16:15
To: Hannes Tschofenig
Cc: n-sakimura; oauth
Subject: Re: [OAUTH-WG] Call for agenda items

F2F side/author meeting at Montreal
Ad hock author meeting call prior

Unclear to me the value of a WG intern meeting

On Wed, Apr 18, 2018 at 3:59 AM Hannes Tschofenig 
> wrote:
Hey guys,

I am trying to find out what you are planning here.

Are you talking about scheduling a side meeting at the next IETF meeting or a 
f2f meeting somewhere else?

Rifaat and I had promised to schedule a conference call (virtual interim 
meeting) about distributed OAuth and we are targeting May. While holding a f2f 
interim meeting for OAuth is possible we have not discussed this so far.

Ciao
Hannes

From: OAuth [mailto:oauth-boun...@ietf.org] On 
Behalf Of n-sakimura
Sent: 18 April 2018 07:34
To: Dick Hardt; n-sakimura
Cc: oauth

Subject: Re: [OAUTH-WG] Call for agenda items


I support the idea. Adding to it, perhaps we can do an ad-hoc before Montreal 
so that we can come up with a combined draft.


Nat Sakimura
--
PLEASE READ: This e-mail is confidential and intended for the named recipient 
only. If you are not an intended recipient, please notify the sender and delete 
this e-mail.







差出人: Dick Hardt >
送信日時: 2018年4月18日 0:40:20
宛先: n-sakimura
CC: Rifaat Shekh-Yusef; oauth
件名: Re: [OAUTH-WG] Call for agenda items

**
本メールはフリーメールから届いています。標的型攻撃メールはフリーメ
ールから届くことがありますのでご注意ください。身に覚えのないメール
であれば添付ファイルやURLを開かず、以下に掲載されている手順に従っ
て対応をお願いします。

共有情報>情報セキュリティトピックス>怪しいメールが届いたら
または、
NRI Group Security Portal>情報セキュリティトピックス
>怪しいメールが届いたら
**
I'd like to coordinate a side meeting with Nat, Brian, myself and other 
interested parties in Montreal to discuss Distributed OAuth.

If we have two meetings, I'd like a timeslot in the second to summarize the 
side meeting and discuss next steps (if any).

Separately, I'd like a time slot for an update on Reciprocal OAuth.

On Wed, Mar 7, 2018 at 5:52 PM, n-sakimura 
> wrote:

No, not really. I was thinking of more informal thing. The session is supposed 
to be Wednesday afternoon, so I was thinking that it might be a good idea to do 
a bit of recap among contributors to draw up a battle plan towards IETF 102.



Nat



From: Rifaat Shekh-Yusef 
[mailto:rifaat.i...@gmail.com]
Sent: Wednesday, March 07, 2018 9:22 PM
To: n-sakimura >
Cc: Brian Campbell 
>; oauth 
>

Subject: Re: [OAUTH-WG] Call for agenda items



Nat,



Are you asking for an interim meeting?

We could schedule the Distributed OAuth discussion for the Wednesday meeting; 
that will give you guys sometime to discuss these face-to-face in London.



Regards,

 Rifaat







On Wed, Mar 7, 2018 at 2:00 AM, n-sakimura 
> wrote:

Then let us do it. We need to put all the proposals on the table and strategize 
the design.

Perhaps we need a side meeting as well.



nat



From: OAuth [mailto:oauth-boun...@ietf.org] On 
Behalf Of Brian Campbell
Sent: Wednesday, March 07, 2018 1:31 AM
To: Rifaat Shekh-Yusef >
Cc: oauth >
Subject: Re: [OAUTH-WG] Call for agenda items



I hadn't previously been planning on it but am happy to do so.



On Tue, Mar 6, 2018 at 8:22 AM, Rifaat Shekh-Yusef 
> wrote:

Nat,



During the interim meeting, 3 drafts mentioned in the context of Distributed 
OAuth:



https://tools.ietf.org/html/draft-sakimura-oauth-meta-08

https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-02

https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00





Brian, Hannes,



Are you planning on presenting your documents?



Regards,

 Rifaat













On Mon, Mar 5, 2018 at 8:09 PM, Nat Sakimura 
> wrote:

I would be interested in hearing that.



Also, as part of "Distributed OAuth", 

Re: [OAUTH-WG] Call for agenda items

[Dick Hardt]

F2F side/author meeting at Montreal
Ad hock author meeting call prior

Unclear to me the value of a WG intern meeting

On Wed, Apr 18, 2018 at 3:59 AM Hannes Tschofenig 
wrote:

> Hey guys,
>
>
>
> I am trying to find out what you are planning here.
>
>
>
> Are you talking about scheduling a side meeting at the next IETF meeting
> or a f2f meeting somewhere else?
>
>
>
> Rifaat and I had promised to schedule a conference call (virtual interim
> meeting) about distributed OAuth and we are targeting May. While holding a
> f2f interim meeting for OAuth is possible we have not discussed this so
> far.
>
>
>
> Ciao
> Hannes
>
>
>
> *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *n-sakimura
> *Sent:* 18 April 2018 07:34
> *To:* Dick Hardt; n-sakimura
> *Cc:* oauth
>
>
> *Subject:* Re: [OAUTH-WG] Call for agenda items
>
>
>
> I support the idea. Adding to it, perhaps we can do an ad-hoc before
> Montreal so that we can come up with a combined draft.
>
>
>
> Nat Sakimura
>
> --
>
> PLEASE READ: This e-mail is confidential and intended for the named
> recipient only. If you are not an intended recipient, please notify the
> sender and delete this e-mail.
>
>
>
>
>
>
>
>
> --
>
> *差出人**:* Dick Hardt 
> *送信日時**:* 2018年4月18日 0:40:20
> *宛先**:* n-sakimura
> *CC:* Rifaat Shekh-Yusef; oauth
> *件名**:* Re: [OAUTH-WG] Call for agenda items
>
>
>
> **
> 本メールはフリーメールから届いています。標的型攻撃メールはフリーメ
> ールから届くことがありますのでご注意ください。身に覚えのないメール
> であれば添付ファイルやURLを開かず、以下に掲載されている手順に従っ
> て対応をお願いします。
>
> 共有情報>情報セキュリティトピックス>怪しいメールが届いたら
> または、
> NRI Group Security Portal>情報セキュリティトピックス
> >怪しいメールが届いたら
> **
>
> I'd like to coordinate a side meeting with Nat, Brian, myself and other
> interested parties in Montreal to discuss Distributed OAuth.
>
>
>
> If we have two meetings, I'd like a timeslot in the second to summarize
> the side meeting and discuss next steps (if any).
>
>
>
> Separately, I'd like a time slot for an update on Reciprocal OAuth.
>
>
>
> On Wed, Mar 7, 2018 at 5:52 PM, n-sakimura  wrote:
>
> No, not really. I was thinking of more informal thing. The session is
> supposed to be Wednesday afternoon, so I was thinking that it might be a
> good idea to do a bit of recap among contributors to draw up a battle plan
> towards IETF 102.
>
>
>
> Nat
>
>
>
> *From:* Rifaat Shekh-Yusef [mailto:rifaat.i...@gmail.com]
> *Sent:* Wednesday, March 07, 2018 9:22 PM
> *To:* n-sakimura 
> *Cc:* Brian Campbell ; oauth 
>
>
> *Subject:* Re: [OAUTH-WG] Call for agenda items
>
>
>
> Nat,
>
>
>
> Are you asking for an interim meeting?
>
> We could schedule the Distributed OAuth discussion for the Wednesday
> meeting; that will give you guys sometime to discuss these face-to-face in
> London.
>
>
>
> Regards,
>
>  Rifaat
>
>
>
>
>
>
>
> On Wed, Mar 7, 2018 at 2:00 AM, n-sakimura  wrote:
>
> Then let us do it. We need to put all the proposals on the table and
> strategize the design.
>
> Perhaps we need a side meeting as well.
>
>
>
> nat
>
>
>
> *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Brian
> Campbell
> *Sent:* Wednesday, March 07, 2018 1:31 AM
> *To:* Rifaat Shekh-Yusef 
> *Cc:* oauth 
> *Subject:* Re: [OAUTH-WG] Call for agenda items
>
>
>
> I hadn't previously been planning on it but am happy to do so.
>
>
>
> On Tue, Mar 6, 2018 at 8:22 AM, Rifaat Shekh-Yusef 
> wrote:
>
> Nat,
>
>
>
> During the interim meeting, 3 drafts mentioned in the context of *Distributed
> OAuth*:
>
>
>
> https://tools.ietf.org/html/draft-sakimura-oauth-meta-08
> 
>
> https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-02
> 
>
> https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
> 
>
>
>
>
>
> *Brian, Hannes,*
>
>
>
> Are you planning on presenting your documents?
>
>
>
> Regards,
>
>  Rifaat
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Mon, Mar 5, 2018 at 8:09 PM, Nat Sakimura  wrote:
>
> I would be interested in hearing that.
>
>
>
> Also, as part of "Distributed OAuth", can we do a bit of re-cap on some of
> the previous drafts on the similar topic as we discussed in the interim?
> i.e., Brian's draft (where is the link now?) and my draft (
> draft-sakimura-oauth-meta
> )?
>
>
>
> Best,
>
>
>
> Nat
>
>
>
> On Tue, Mar 6, 2018 at 3:30 AM William Denniss 
> wrote:
>
> Hannes & Rifaat,
>
>
> I would like the opportunity to present on OAuth 2.0 Incremental
> Authorization 

Re: [OAUTH-WG] Call for agenda items

[Hannes Tschofenig]

Hey guys,

I am trying to find out what you are planning here.

Are you talking about scheduling a side meeting at the next IETF meeting or a 
f2f meeting somewhere else?

Rifaat and I had promised to schedule a conference call (virtual interim 
meeting) about distributed OAuth and we are targeting May. While holding a f2f 
interim meeting for OAuth is possible we have not discussed this so far.

Ciao
Hannes

From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of n-sakimura
Sent: 18 April 2018 07:34
To: Dick Hardt; n-sakimura
Cc: oauth
Subject: Re: [OAUTH-WG] Call for agenda items


I support the idea. Adding to it, perhaps we can do an ad-hoc before Montreal 
so that we can come up with a combined draft.


Nat Sakimura
--
PLEASE READ: This e-mail is confidential and intended for the named recipient 
only. If you are not an intended recipient, please notify the sender and delete 
this e-mail.







差出人: Dick Hardt >
送信日時: 2018年4月18日 0:40:20
宛先: n-sakimura
CC: Rifaat Shekh-Yusef; oauth
件名: Re: [OAUTH-WG] Call for agenda items

**
本メールはフリーメールから届いています。標的型攻撃メールはフリーメ
ールから届くことがありますのでご注意ください。身に覚えのないメール
であれば添付ファイルやURLを開かず、以下に掲載されている手順に従っ
て対応をお願いします。

共有情報>情報セキュリティトピックス>怪しいメールが届いたら
または、
NRI Group Security Portal>情報セキュリティトピックス
>怪しいメールが届いたら
**
I'd like to coordinate a side meeting with Nat, Brian, myself and other 
interested parties in Montreal to discuss Distributed OAuth.

If we have two meetings, I'd like a timeslot in the second to summarize the 
side meeting and discuss next steps (if any).

Separately, I'd like a time slot for an update on Reciprocal OAuth.

On Wed, Mar 7, 2018 at 5:52 PM, n-sakimura 
> wrote:

No, not really. I was thinking of more informal thing. The session is supposed 
to be Wednesday afternoon, so I was thinking that it might be a good idea to do 
a bit of recap among contributors to draw up a battle plan towards IETF 102.



Nat



From: Rifaat Shekh-Yusef 
[mailto:rifaat.i...@gmail.com]
Sent: Wednesday, March 07, 2018 9:22 PM
To: n-sakimura >
Cc: Brian Campbell 
>; oauth 
>

Subject: Re: [OAUTH-WG] Call for agenda items



Nat,



Are you asking for an interim meeting?

We could schedule the Distributed OAuth discussion for the Wednesday meeting; 
that will give you guys sometime to discuss these face-to-face in London..



Regards,

 Rifaat







On Wed, Mar 7, 2018 at 2:00 AM, n-sakimura 
> wrote:

Then let us do it. We need to put all the proposals on the table and strategize 
the design.

Perhaps we need a side meeting as well.



nat



From: OAuth [mailto:oauth-boun...@ietf.org] On 
Behalf Of Brian Campbell
Sent: Wednesday, March 07, 2018 1:31 AM
To: Rifaat Shekh-Yusef >
Cc: oauth >
Subject: Re: [OAUTH-WG] Call for agenda items



I hadn't previously been planning on it but am happy to do so.



On Tue, Mar 6, 2018 at 8:22 AM, Rifaat Shekh-Yusef 
> wrote:

Nat,



During the interim meeting, 3 drafts mentioned in the context of Distributed 
OAuth:



https://tools.ietf.org/html/draft-sakimura-oauth-meta-08

https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-02

https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00





Brian, Hannes,



Are you planning on presenting your documents?



Regards,

 Rifaat













On Mon, Mar 5, 2018 at 8:09 PM, Nat Sakimura 
> wrote:

I would be interested in hearing that.



Also, as part of "Distributed OAuth", can we do a bit of re-cap on some of the 
previous drafts on the similar topic as we discussed in the interim? i.e., 
Brian's draft (where is the link now?) and my draft 
(draft-sakimura-oauth-meta)?



Best,



Nat



On Tue, Mar 6, 2018 at 3:30 AM William Denniss 
> wrote:

Hannes & Rifaat,

I would like the opportunity to present on OAuth 2.0 Incremental Authorization 
(draft-wdenniss-oauth-incremental-auth) [an update for which will be posted 
today] and "OAuth 2.0 Device Posture Signals" 
(draft-wdenniss-oauth-device-posture).



I can also give an update on the status of Device Flow