>> scope, but it just seems that claims, scopes, and audiences are each unique
>> and should be kept that way.
>>
>> adam
>>
>> From: Phil Hunt [mailto:phil.h...@oracle.com]
>> Sent: Monday, March 11, 2013 9:25 AM
>> To: Nat Sakimura
>>
d be kept that way.
>>
>> adam
>>
>> From: Phil Hunt [mailto:phil.h...@oracle.com]
>> Sent: Monday, March 11, 2013 9:25 AM
>> To: Nat Sakimura
>> Cc: Lewis Adam-CAL022; oauth@ietf.org WG
>> Subject: Re: [OAUTH-WG] JWT - scope claim missing
&
y.
adam
*From:* Phil Hunt [mailto:phil.h...@oracle.com ]
*Sent:* Monday, March 11, 2013 9:25 AM
*To:* Nat Sakimura
*Cc:* Lewis Adam-CAL022; oauth@ietf.org WG
*Subject:* Re: [OAUTH-WG] JWT - scope claim missing
One thing that concerns me is that scope is very different from a claim. An
c
m
From: Brian Campbell
[mailto:bcampb...@pingidentity.com<mailto:bcampb...@pingidentity.com>]
Sent: Thursday, February 28, 2013 1:36 PM
To: Lewis Adam-CAL022
Cc: John Bradley; oauth@ietf.org<mailto:oauth@ietf.org> WG
Subject: Re: [OAUTH-WG] JWT - scope claim missing
I do agree that a W
gt;
> adam
>
>
>
> From: Brian Campbell [mailto:bcampb...@pingidentity.com]
> Sent: Thursday, February 28, 2013 1:36 PM
> To: Lewis Adam-CAL022
> Cc: John Bradley; oauth@ietf.org WG
>
>
> Subject: Re: [OAUTH-WG] JWT - scope claim missing
>
>
>
am
>
> ** **
>
> *From:* Brian Campbell [mailto:bcampb...@pingidentity.com]
> *Sent:* Thursday, February 28, 2013 1:36 PM
> *To:* Lewis Adam-CAL022
> *Cc:* John Bradley; oauth@ietf.org WG
>
> *Subject:* Re: [OAUTH-WG] JWT - scope claim missing
>
> ** **
>
>
+1
From: Brian Campbell
Sent: 2/28/2013 1:00 PM
To: prateek mishra
Cc: oauth
Subject: Re: [OAUTH-WG] JWT - scope claim missing
Thanks Prateek. I like it and I think wordy might be the way to go here.
On Thu, Feb 28, 2013 at 1:43 PM, prateek mishra
ngidentity.com]
Sent: Thursday, February 28, 2013 1:36 PM
To: Lewis Adam-CAL022
Cc: John Bradley; oauth@ietf.org WG
Subject: Re: [OAUTH-WG] JWT - scope claim missing
I do agree that a WG profile of a JWT-structured access token could lend itself
to interoperability and ultimately be a useful thin
Thanks Prateek. I like it and I think wordy might be the way to go here.
On Thu, Feb 28, 2013 at 1:43 PM, prateek mishra
wrote:
> SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization
> Grants
> JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants
> Assertio
I believe that depending on the resource server that scope is important for
both the security layers and application function layers. For example, an
application may wish to use scope as a set of entitlements. Does client have
entitlement "readProfile".
It makes no sense to me to have a scope
SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization
Grants
JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants
Assertion Framework for OAuth 2.0
a bit wordy, but does get the point across IMO
- prateek
I'm not sure anyone really "picked" the titles for t
Agreed profiling needs to happen for access tokens someplace. In the MAC spec
is probably not the best place if the claims are used outside of MAC as well.
There is a separate issue once we get to that profile about scope. I don't
know many RS that do a 1 to 1 mapping of scope at the AS. No
-- Mike
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Brian
Campbell
Sent: Thursday, February 28, 2013 11:25 AM
To: John Bradley
Cc: oauth@ietf.org WG
Subject: Re: [OAUTH-WG] JWT - scope claim missing
To be fair, I think it was Phil who first confl
g] *On Behalf
> Of *Brian Campbell
> *Sent:* Thursday, February 28, 2013 1:03 PM
> *To:* John Bradley
> *Cc:* oauth@ietf.org WG
>
> *Subject:* Re: [OAUTH-WG] JWT - scope claim missing
>
> ** **
>
> I'm not sure anyone really "picked" the titles for
To be fair, I think it was Phil who first conflated the things :) I just
picked up the ball and ran with it. But you are right, I did kind of hijack
the thread which was originally about if a scope claim should be defined in
draft-ietf-oauth-json-web-token. I'd say no but I can see how an argument
WG
Subject: Re: [OAUTH-WG] JWT - scope claim missing
I'm not sure anyone really "picked" the titles for the bearer token profiles.
They just kind of evolved. And evolved in funny ways especially when client
authn to the AS was added.
You won't hear me argue that the titles a
Brian, I think you're conflating two things (and John might be, too). On
the one hand, we've got the JWT document, which talks about what goes
into the token itself. This can be used as an assertion, as an access
token, as a floor wax / dessert topping. JWT doesn't really care, and
this is real
I'm not sure anyone really "picked" the titles for the bearer token
profiles. They just kind of evolved. And evolved in funny ways especially
when client authn to the AS was added.
You won't hear me argue that the titles are "good" and this is not the
first time there's been confusion about what t
Yes the title likely adds to the confusion given that the bearer tokens are not
access tokens.
Things as separate from OAuth as the Firefox browerID spec use JWS signed JWTs.
The bearer token profiles for OAuth 2 are for OAuth2.
The JSON Web Token (JWT) spec did not start in OAuth and is not
JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
Note the title says "for OAuth2"
Sorry. Couldn't resist.
Phil
Sent from my phone.
On 2013-02-28, at 9:40, John Bradley wrote:
> JWT is an assertion( I am probably going to regret using that word).
>
> It is used in openID connect for
ot;WG "@il06exr02.mot.com
Subject: Re: [OAUTH-WG] JWT - scope claim missing
Yes IETF WG politics:)
Should JWT and JOSE be together ? Through a number of twists and turns they
are not, lets not go there.
But to the point a number of us have made JWT is used in OAuth for more than
acc
I guess we first have to agree whether there is a security benefit of
communicating the scope from the AS to the RS (in a way that it cannot
be modified by the client or any other party).
The scope indicates permissions (for example, whether the resource owner
allowed read access to a certain
JWT is an assertion( I am probably going to regret using that word).
It is used in openID connect for id_tokens, it is used in OAuth for Assertion
grant types and authentication of the client to the token endpoint.
http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-04
JSON Web Token (JWT) Be
Yes IETF WG politics:)
Should JWT and JOSE be together ? Through a number of twists and turns they
are not, lets not go there.
But to the point a number of us have made JWT is used in OAuth for more than
access tokens.
Currently it's only use in OAuth is in the JWT assertions profile that h
What people are doing now is often issuing saml like assertions. Thats not
necessarily indicating intent. It just indicates transition.
Phil
Sent from my phone.
On 2013-02-28, at 9:07, John Bradley wrote:
> I am not advocating anything, only sting what people are doing now.
>
> How authoriz
Are you saying jwt is not an access token type?
Phil
Sent from my phone.
On 2013-02-28, at 8:58, John Bradley wrote:
> Yes, defining scope in JWT is the wrong place. JWT needs to stick to the
> security claims needed to process JWT.
>
> I also don't know how far you get requiring a specifi
Am I missing something. JWT is firstly an oauth spec. Otherwise why isnt it in
jose wg?
Phil
Sent from my phone.
On 2013-02-28, at 8:44, Brian Campbell wrote:
> I think John's point was more that scope is something rather specific to an
> OAuth access token and, while JWT is can be used to r
I am not advocating anything, only sting what people are doing now.
How authorization is communicated between the AS and RS via a token that is
opaque to the client is out of scope fro OAuth core, it might be magic pixy
dust.
This has lead to a number of ways people are doing it.
JWT along wit
Yes, defining scope in JWT is the wrong place. JWT needs to stick to the
security claims needed to process JWT.
I also don't know how far you get requiring a specific authorization format for
JWT, some AS will wan to use a opaque reference, some might want to use a user
claim or role claim, o
I think John's point was more that scope is something rather specific to an
OAuth access token and, while JWT is can be used to represent an access
token, it's not the only application of JWT. The 'standard' claims in JWT
are those that are believed (right or wrong) to be widely applicable across
d
Personally I am starting to feel strongly that access tokens should be highly
contextual and therefore tightly bound to specific resources.
It seems to me trust will get incredibly complex if we start federating access
tokens. My belief is that uma needs to still chain to local authorization
s
Are you advocating TWO systems? That seems like a bad choice.
I would rather fix scope than go to a two system approach.
Phil
Sent from my phone.
On 2013-02-28, at 8:17, John Bradley wrote:
> While scope is one method that a AS could communicate authorization to a RS,
> it is not the only o
While scope is one method that a AS could communicate authorization to a RS, it
is not the only or perhaps even the most likely one.
Using scope requires a relatively tight binding between the RS and AS, UMA
uses a different mechanism that describes finer grained operations.
The AS may include
Hi Mike,
when I worked on the MAC specification I noticed that the JWT does not have a
claim for the scope. I believe that this would be needed to allow the resource
server to verify whether the scope the authorization server authorized is
indeed what the client is asking for.
Ciao
Hannes
_
34 matches
Mail list logo
