Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens: IPR Confirmation

2020-09-18 Thread Vittorio Bertocci
Hi Hannes, Thank you! I am not aware of any IPR related to https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/. On 9/17/20, 05:48, "Hannes Tschofenig" wrote: Hi Vittorio, I am working on the shepherd writeup for the "JSON Web Token (JWT) Profile for OAuth 2.0

[OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens: IPR Confirmation

2020-09-17 Thread Hannes Tschofenig
Hi Vittorio, I am working on the shepherd writeup for the "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" specification: https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-08 One item in the template requires me to indicate whether each document author has confirmed that

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-06-03 Thread Denis
Hi Benjamin, My responses are between the lines. Hi Denis, On Tue, Jun 02, 2020 at 10:20:36AM +0200, Denis wrote: Hi Benjamin, Responses are between the lines. On Fri, May 22, 2020 at 11:37:28AM +0200, Denis wrote: Hi Benjamin, On Thu, May 14, 2020 at 04:29:43PM +0200, Denis wrote:

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-06-02 Thread Benjamin Kaduk
Hi Denis, On Tue, Jun 02, 2020 at 10:20:36AM +0200, Denis wrote: > Hi Benjamin, > > Responses are between the lines. > > > On Fri, May 22, 2020 at 11:37:28AM +0200, Denis wrote: > >> Hi Benjamin, > >>> On Thu, May 14, 2020 at 04:29:43PM +0200, Denis wrote: > Since then, I questioned myself

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-06-02 Thread Benjamin Kaduk
On Mon, Jun 01, 2020 at 10:06:22PM +0530, Janak Amarasena wrote: > Hi all, > > My apologies, if this was already discussed. > > In section *4*. Validating JWT Access Tokens > > it > is stated; > > The resource server

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-06-02 Thread Denis
Hi Benjamin, Responses are between the lines. On Fri, May 22, 2020 at 11:37:28AM +0200, Denis wrote: Hi Benjamin, On Thu, May 14, 2020 at 04:29:43PM +0200, Denis wrote: Since then, I questioned myself how a client would be able to request an access token that would be *strictly compliant

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-06-01 Thread Janak Amarasena
Hi all, My apologies, if this was already discussed. In section *4*. Validating JWT Access Tokens it is stated; The resource server MUST handle errors as described in section 3.1 of [RFC6750]

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-05-30 Thread Benjamin Kaduk
On Fri, May 22, 2020 at 11:37:28AM +0200, Denis wrote: > Hi Benjamin, > > On Thu, May 14, 2020 at 04:29:43PM +0200, Denis wrote: > >> Since then, I questioned myself how a client would be able to request an > >> access token that would be > >> *strictly compliant with this Profile*. > > I don't

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-05-22 Thread Denis
Hi Benjamin, On Thu, May 14, 2020 at 04:29:43PM +0200, Denis wrote: Since then, I questioned myself how a client would be able to request an access token that would be *strictly compliant with this Profile*. I don't understand why this is an interesting question to ask. The access token and

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-05-21 Thread Benjamin Kaduk
On Thu, May 14, 2020 at 04:29:43PM +0200, Denis wrote: > > Since then, I questioned myself how a client would be able to request an > access token that would be > *strictly compliant with this Profile*. I don't understand why this is an interesting question to ask. The access token and

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-05-14 Thread Denis
Hi Vittorio, I raised the following question: In the future, if additional parameters are included in the request, will the "sub" claim necessarily be present in the access token ? The answer to this question does not seem to be present in the draft. Would you be able to provide an

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-05-14 Thread Vittorio Bertocci
Denis, the change you mentioned is basically a typo, which I did fix but did not publish a new draft for- that doesn’t change the substance of the consensus (and is something that will be fixed in the subsequent phases of the process). Whether the sub should be mandatory has been discussed for two

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-05-14 Thread Denis
The current version of this draft is "draft-ietf-oauth-access-token-jwt-07" issued on April the 27 th. This means that comments sent later on on the list have not been incorporated in this draft. In particular, this one sent on April the 28 th: *1) *The title of this spec. is: JSON Web

Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-05-13 Thread Steinar Noem
Sorry for coming late in the game, but I really think that the "sub" claim should be OPTIONAL instead of REQUIRED. We are implementing OAuth 2.0 for the Norwegian health sector, where we have several resources in production already. I don't think the "sub" claim should have different meaning

[OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

2020-05-13 Thread Rifaat Shekh-Yusef
All, Based on the 3rd WGLC, we believe that we have consensus to move this document forward. https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/ We will be working on the shepherd write-up and then submit the document to the IESG soon. Regards, Rifaat & Hannes