Hi
On 15/03/13 20:40, Lewis Adam-CAL022 wrote:
Hi John,
I would like to argue that the scope should be a parameter in the access
token request message, the same as it is for the RO creds grant and
client creds grant type. This would keep it consistent with the core
OAuth grant types that talk directly to the token endpoint.
Assuming the assertion is acting as a grant, then it is indeed an access
token request message, so IMHO it makes sense to get an outbound scope
parameter optionally supported which I guess will imply that the client
id will also have to accompany it...
Cheers, Sergey
Thoughts?
adam
*From:*John Bradley [mailto:ve7...@ve7jtb.com]
*Sent:* Friday, March 15, 2013 12:10 PM
*To:* Lewis Adam-CAL022
*Cc:* Brian Campbell; "WG <oauth@ietf.org>"@il06exr02.mot.com
*Subject:* Re: [OAUTH-WG] JWT grant_type and client_id
The spec is a touch vague on that. I think the scopes should be in the
assertion and the client can use the scopes outside the assertion to
down-scope.
Having a standard claim in JWT and SAML for passing scopes is probably
useful as part of a profile.
John B.
On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022
<adam.le...@motorolasolutions.com
<mailto:adam.le...@motorolasolutions.com>> wrote:
Hmmm, one more thought … no scope?? The JWT is the grant, is it assumed
that the scope is conveyed as a claim within the token? Otherwise it
would seem that it would require a scope.
Thoughts?
adam
*From:*Brian Campbell [mailto:bcampb...@pingidentity.com
<http://pingidentity.com>]
*Sent:*Thursday, March 14, 2013 4:44 PM
*To:*Lewis Adam-CAL022
*Cc:*Mike Jones; "WG <oauth@ietf.org
<mailto:oauth@ietf.org>>"@il06exr02.mot.com <http://il06exr02.mot.com>
*Subject:*Re: [OAUTH-WG] JWT grant_type and client_id
Yes, that is correct.
I'm working on new revisions of the drafts that will hopefully make that
point more clear.
On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022
<adam.le...@motorolasolutions.com
<mailto:adam.le...@motorolasolutions.com>> wrote:
Coming back to this… am I correct in that client_id is not required? We are
implementing this spec and want to make sure that we are doing it right. By my
understanding the only two parameters that are required in the JWT grant type are
"urn:ietf:params:oauth:grant-type:jwt-bearer" and the assertion. Is
this correct?
*From:*Mike Jones [mailto:michael.jo...@microsoft.com
<mailto:michael.jo...@microsoft.com>]
*Sent:*Monday, February 18, 2013 6:58 PM
*To:*Lewis Adam-CAL022;oauth@ietf.org <mailto:oauth@ietf.org>WG
*Subject:*RE: JWT grant_type and client_id
The client_id value and the access token value are independent.
-- Mike
*From:*oauth-boun...@ietf.org
<mailto:oauth-boun...@ietf.org>[mailto:oauth-boun...@ietf.org
<mailto:oauth-boun...@ietf.org>]*On Behalf Of*Lewis Adam-CAL022
*Sent:*Monday, February 18, 2013 2:50 PM
*To:*oauth@ietf.org <mailto:oauth@ietf.org>WG
*Subject:*[OAUTH-WG] JWT grant_type and client_id
Is there any guidance on the usage of client_id when using the JWT
assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes
no mention so I assume that it is not required … but it would be
necessary if using in conjunction with a HOK profile where the JWT
assertion is issued to – and may only be used by – the intended client.
Obviously this is straight forward enough, really I’m just looking to be
sure that I’m not missing anything.
tx
adam
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
