Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

er in addition to the ones listed here? *From: *OAuth <mailto:oauth-boun...@ietf.org> on behalf of Denis <mailto:denis.i...@free.fr> *Date: *Thursday, April 9, 2020 at 09:26 *To: *oauth <mailto:oauth@ietf.org> *Subject: *Re: [OAUTH-WG] WGLC on "JSON Web Token

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

t vendors used proprietary functional equivalents. What other interoperable mechanisms would you offer in addition to the ones listed here? *From: *OAuth on behalf of Denis *Date: *Thursday, April 9, 2020 at 09:26 *To: *oauth *Subject: *Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profi

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

f that calls > > for a version? If it’s a matter of extensions, those should always be > > possible – it’s more breaking changes that require versioning, but I > > don’t recall precedents in similar specs. > > > > If this is aimed at mitigating the “AS changes for

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

be for- at least at the time in which the spec was incepted. In fact, resource indicators was not even RFC and in market vendors used proprietary functional equivalents. What other interoperable mechanisms would you offer in addition to the ones listed here? *From: *OAuth on behalf of Denis

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

09:26 To: oauth Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" I have three concerns, two of them being related to privacy. 1) Privacy has not really been a concern in the WG since originally the AT and the RS were co-located. However, th

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

I have three concerns, two of them being related to privacy. 1) Privacy has not really been a concern in the WG since originally the AT and the RS were co-located. However, this draft now recognizes that there may exist cases where "the authorization server and resource server are not

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Thanks Vittorio for the thorough response! I agree that how scopes are handled is very different across deployments. Scopes used for an RP with a mobile app (e.g. something like OpenTable) are going to be very different than a multi-tenant enterprise system with fixed services and roles that

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Thanks Annabelle and George! I am consolidating replies to both your latest comments in this mail. This seems a hard rock to lift, but it also seems to be the last one . The TL;DR is, I am not completely opposed to relaxing the constraints and turning them into security considerations, but I

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" Preventing token substitution/confusion was not at all the aim of my comment. I only brought that up in an attempt to bridge what looked like a communication gap in Annabelle's and your discussion. Sor

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

t; That works for me! > > > > *From:* George Fletcher > *Sent:* Wednesday, March 25, 2020 11:56 AM > *To:* vittorio.berto...@auth0.com; 'Brian Campbell' 40pingidentity@dmarc.ietf.org> > *Cc:* 'Brian Campbell' ; 'oauth' < > oauth@ietf.org> > *Subject:* Re: [OAU

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

auth0@dmarc.ietf.org" , 'George Fletcher' , 'Brian Campbell' Cc: 'oauth' Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" This is another manifestation of the limits of jwks_uri that I’ve brought up on the list previously<https://

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

at works for me! From: George Fletcher Sent: Wednesday, March 25, 2020 11:56 AM To: vittorio.berto...@auth0.com; 'Brian Campbell' Cc: 'Brian Campbell' ; 'oauth' Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" If we don't want to give gui

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

to sign JWT ATs” work better? From: Brian Campbell Date: Wednesday, March 25, 2020 at 14:26 To: Vittorio Bertocci Cc: George Fletcher , Brian Campbell , oauth Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" It seems to me that leaving that ou

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

t; > > > *From:* George Fletcher > *Sent:* Wednesday, March 25, 2020 11:56 AM > *To:* vittorio.berto...@auth0.com; 'Brian Campbell' 40pingidentity@dmarc.ietf.org> > *Cc:* 'Brian Campbell' ; 'oauth' < > oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] WGLC on "JSON Web

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

That works for me! From: George Fletcher Sent: Wednesday, March 25, 2020 11:56 AM To: vittorio.berto...@auth0.com; 'Brian Campbell' Cc: 'Brian Campbell' ; 'oauth' Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" If we don't wa

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

torio Bertocci ; oauth Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" I don't think you are missing anything, George (except that, to be pedantic, `kid` is a header rather than a claim). The question gave me pause, however, and m

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

ance further. From: Brian Campbell Sent: Wednesday, March 25, 2020 11:21 AM To: George Fletcher Cc: Brian Campbell ; Vittorio Bertocci ; oauth Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" I don't think you are missing anything,

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

any other reason they might have) and a > headsup to RSes so that they don’t make assumptions. > > > > *From:* Brian Campbell > > *Sent:* Wednesday, March 25, 2020 8:48 AM > *To:* Vittorio Bertocci > > *Cc:* Richard Backman, Annabelle ; > oauth > *Subject:* R

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

* Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" I'm gonna go out on a limb and guess/suggest that implicit in Annabelle's comment was an assumption that signing ATs and ID Tokens with different keys would be done to prevent token substitution/confusion. And

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

e assumptions. > > > > *From:* Brian Campbell > *Sent:* Wednesday, March 25, 2020 8:48 AM > *To:* Vittorio Bertocci > *Cc:* Richard Backman, Annabelle ; oauth < > oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

asons listed below, or any other reason they might have) and a headsup to RSes so that they don’t make assumptions. From: Brian Campbell Sent: Wednesday, March 25, 2020 8:48 AM To: Vittorio Bertocci Cc: Richard Backman, Annabelle ; oauth Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JW

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

;JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" On Wed, Mar 25, 2020 at 3:53 AM Vittorio Bertocci mailto:40auth0@dmarc.ietf.org> > wrote: >4 p1: Saying asymmetric signatures are RECOMMENDED presupposes that key >distribution is the implementer’s prim

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

I'm gonna go out on a limb and guess/suggest that implicit in Annabelle's comment was an assumption that signing ATs and ID Tokens with different keys would be done to prevent token substitution/confusion. And there's not really a practical way to achieve that with the mechanics of the jwks_uri.

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

On Wed, Mar 25, 2020 at 3:53 AM Vittorio Bertocci wrote: > *>4 p1: Saying asymmetric signatures are RECOMMENDED presupposes that key > distribution is the implementer’s primary concern. MAC-based > implementations shouldn’t be seen as some weird edge case scenario (though > it’d be worth

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

that step? Knits: will sweep thru them tomorrow and apply to the text accordingly. THANK YOU! From: OAuth on behalf of "Richard Backman, Annabelle" Date: Tuesday, March 24, 2020 at 15:45 To: 'oauth' Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

To borrow a term from ML, I think the "aud", "scope", and resource indicator-related text is overfitted to a specific set of deployment scenarios, and a specific way of using scopes and resource indicators. Consider the following: 1. There may be no "scope" parameter The "scope" parameter is

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" Just a general comment, OIDC has been designed for a specific reason (“identity layer on top of the OAuth 2.0”) whereas JWT access tokens are used for more applications. Since the goal of this specification is t

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Thanks George for the super thorough review and feedback! Inline > Section 1. Introduction ��� second line: scenario should be plural --> scenarios ��� second sentence: "are not ran by" --> "are not run by" �� cofidentiality --> confidentiality Fixed. Thanks! >

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

to the proprietary JWT access tokens layout”, I feel it is restrictive. Best, Nikos From: Vittorio Bertocci Sent: Tuesday, March 24, 2020 7:57 PM To: Nikos Fotiou Cc: Hannes Tschofenig ; oauth Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

stuffing. From: OAuth on behalf of George Fletcher Date: Tuesday, March 24, 2020 at 11:48 To: Vittorio Bertocci , Takahiko Kawasaki Cc: oauth Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" Focusing just on this comment... This assumes the s

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

resource was a mandatory request param) to v2, where the resource was inferred from the scopes via scopes stuffing. From: OAuth on behalf of George Fletcher Date: Tuesday, March 24, 2020 at 11:48 To: Vittorio Bertocci , Takahiko Kawasaki Cc: oauth Subject: Re: [OAUTH-WG] WGLC on "JSON Web

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Focusing just on this comment... This assumes the system uses a specific implementation of scopes values (e.g. 'read', 'write', 'delete'). It is very possible that in the context of a calendar services and an inbox service... the system defines scopes like 'cal-r', 'cal-w', 'mail-r', mail-w'

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Hi Takahiko, thank you for reviewing and taking the time to write down your feedback! Inline [..] apparently conflicts with RFC 8707. I'm afraid vendors that support > RFC 8707 won't support this draft unless the requirement is loosened, for > example from MUST to SHOULD. I don't think this can

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Hi Nikos, thanks for taking the time to review and write down your feedback! Inline - In Section 2.2 why nbf claim ( > https://tools..ietf.org/html/rfc7519#section-4.1.5) > is not considered? I > can imagine some interesting applications of

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Feedback on the spec... Section 1. Introduction ��� second line: scenario should be plural --> scenarios ��� second sentence: "are not ran by" --> "are not run by" Section 2.2.1 Authentication Information Claims ��� I'm not sure that this definition of `auth_time` allows for

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Ad 1) the language is tricky but it does not say forbid the client from sending in two resource values to the authorization endpoint, it says that when access token is issued (i.e. the authorization_code grant at the token endpoint) one of the granted resource values must be part of the request or

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

(1) The requirement in the paragraph below excerpted from "3. Requesting a JWT Access Token": *If it receives a request for an access token containing more than one resource parameter, an authorization server issuing JWT access tokens MUST reject the request and fail with "invalid_request" as

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Hi all, Allow me some comments and forgive me if some of them are naïve. - In Section 2.2 why nbf claim (https://tools.ietf.org/html/rfc7519#section-4.1.5) is not considered? I can imagine some interesting applications of this claim. - In the same section, it is not clear why some claims are