I agree that it’s likely a claim that would be used in access tokens.
I’m coming to the conclusion that we should actually write an access token
profile for JWT and probably SAML as well. This would be parallel to the kinds
of requirements placed on the use of SAML and JWT when used for client
authentication and as resource grants. This could only help interoperability,
as people would have a place to go to read about best practices for this use
case.
-- Mike
From: Phil Hunt [mailto:phil.h...@oracle.com]
Sent: Saturday, March 16, 2013 2:52 AM
To: Mike Jones
Cc: Brian Campbell; Lewis Adam-CAL022; oauth@ietf.org
Subject: Re: [OAUTH-WG] JWT grant_type and client_id
It's a question of whether the jwt spec alone is used (in which case it needs
scope) or whether another profile for access tokens is needed.
Since scope is fundamental to oauth, i think it is part if the core set of
minimal attributes for access tokens. In fact i cab envision cases where
references to authorizing user or client might be eliminated or anonymized
leaving only one. Eg grant the holder of this token the right to do scope xyz.
Phil
Sent from my phone.
On 2013-03-15, at 21:03, Mike Jones
<michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>> wrote:
Having a scope claim in specific profiles could make sense. That doesn’t mean
that it has to be defined in the JWT spec per se. If anything, people
expressed a desire in yesterday’s working group meeting to keep the base claims
set small, rather than expanding it.
Profiles can register the claims they define in the IANA JWT Claims registry,
if they choose.
-- Mike
From: Lewis Adam-CAL022
Sent: March 15, 2013 3:55 PM
To: Brian Campbell
CC: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT grant_type and client_id
I guess that it depends on what JWT is meant to be. My understanding is that
it began as something to support Web SSO authentication for OIDC, so scope
didn’t make any sense then. Nor does it make any sense as a strict grant type.
The use case where it becomes interesting (the one I am looking to) is for
when an access token or refresh token is a JWT. I think some vendors are
beginning to make their structured tokens a JWT, and that is my current
thinking as well … if folks agree that JWT can be used as the structure for
OAuth tokens, then it makes sense to include a scope field. If not, then it
will be JSON+encryption+signing, just not a JWT ☺
adam
From: Brian Campbell [mailto:bcampb...@pingidentity.com]
Sent: Friday, March 15, 2013 5:16 PM
To: Lewis Adam-CAL022
Cc: Sergey Beryozkin; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT grant_type and client_id
Codifying a claim/attribute for scope that goes in the assertion is something
that's been discussed but never seemed to get sufficient consensus regarding
how to exactly to do it and if it really provided much value.
On Fri, Mar 15, 2013 at 4:12 PM, Brian Campbell
<bcampb...@pingidentity.com<mailto:bcampb...@pingidentity.com>> wrote:
So currently the base assertion document defines scope as an HTTP parameter on
the access token request message when using an assertion as a grant[1]. And
that applies to both the SAML and JWT grants (perhaps that needs to be more
clear?). Also RFC 6749 defines the scope parameter for the client credentials
access token request[2], which similarly applies to both SAML and JWT in the
case of assertion client authentication using the "client_credentials" grant
type.
[1] http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-4.1
[2] http://tools.ietf.org/html/rfc6749#section-4.4.1
On Fri, Mar 15, 2013 at 3:43 PM, Lewis Adam-CAL022
<adam.le...@motorolasolutions.com<mailto:adam.le...@motorolasolutions.com>>
wrote:
Right ... thinking about this further I think the answer is "all of the above."
If the JWT is a grant type then as you say it needs a scope param and
optionally a client_id param. I argued for the client_id param earlier since
it could assist with HOK scenarios once those further develop.
But when the JWT is used as an AT then it will definitely require the scope as
a claim.
So I change my argument to "both" :)
adam
-----Original Message-----
From: oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>
[mailto:oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>] On Behalf Of
Sergey Beryozkin
Sent: Friday, March 15, 2013 4:31 PM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT grant_type and client_id
Hi
On 15/03/13 20:40, Lewis Adam-CAL022 wrote:
> Hi John,
>
> I would like to argue that the scope should be a parameter in the access
> token request message, the same as it is for the RO creds grant and
> client creds grant type. This would keep it consistent with the core
> OAuth grant types that talk directly to the token endpoint.
>
Assuming the assertion is acting as a grant, then it is indeed an access
token request message, so IMHO it makes sense to get an outbound scope
parameter optionally supported which I guess will imply that the client
id will also have to accompany it...
Cheers, Sergey
> Thoughts?
>
> adam
>
> *From:*John Bradley [mailto:ve7...@ve7jtb.com<mailto:ve7...@ve7jtb.com>]
> *Sent:* Friday, March 15, 2013 12:10 PM
> *To:* Lewis Adam-CAL022
> *Cc:* Brian Campbell; "WG
> <oauth@ietf.org<mailto:oauth@ietf.org>>"@il06exr02.mot.com<http://il06exr02.mot.com>
> *Subject:* Re: [OAUTH-WG] JWT grant_type and client_id
>
> The spec is a touch vague on that. I think the scopes should be in the
> assertion and the client can use the scopes outside the assertion to
> down-scope.
>
> Having a standard claim in JWT and SAML for passing scopes is probably
> useful as part of a profile.
>
> John B.
>
> On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022
> <adam.le...@motorolasolutions.com<mailto:adam.le...@motorolasolutions.com>
> <mailto:adam.le...@motorolasolutions.com<mailto:adam.le...@motorolasolutions.com>>>
> wrote:
>
>
>
> Hmmm, one more thought ... no scope?? The JWT is the grant, is it assumed
> that the scope is conveyed as a claim within the token? Otherwise it
> would seem that it would require a scope.
>
> Thoughts?
>
> adam
>
> *From:*Brian Campbell
> [mailto:bcampb...@pingidentity.com<mailto:bcampb...@pingidentity.com>
> <http://pingidentity.com>]
> *Sent:*Thursday, March 14, 2013 4:44 PM
> *To:*Lewis Adam-CAL022
> *Cc:*Mike Jones; "WG <oauth@ietf.org<mailto:oauth@ietf.org>
> <mailto:oauth@ietf.org<mailto:oauth@ietf.org>>>"@il06exr02.mot.com<http://il06exr02.mot.com>
> <http://il06exr02.mot.com>
> *Subject:*Re: [OAUTH-WG] JWT grant_type and client_id
>
> Yes, that is correct.
>
> I'm working on new revisions of the drafts that will hopefully make that
> point more clear.
>
> On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022
> <adam.le...@motorolasolutions.com<mailto:adam.le...@motorolasolutions.com>
> <mailto:adam.le...@motorolasolutions.com<mailto:adam.le...@motorolasolutions.com>>>
> wrote:
>
> Coming back to this... am I correct in that client_id is not required? We
> are implementing this spec and want to make sure that we are doing it right.
> By my understanding the only two parameters that are required in the JWT
> grant type are "urn:ietf:params:oauth:grant-type:jwt-bearer" and the
> assertion. Is this correct?
>
> *From:*Mike Jones
> [mailto:michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>
> <mailto:michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>>]
> *Sent:*Monday, February 18, 2013 6:58 PM
> *To:*Lewis Adam-CAL022;oauth@ietf.org<mailto:adam-cal022%3boa...@ietf.org>
> <mailto:oauth@ietf.org<mailto:oauth@ietf.org>>WG
> *Subject:*RE: JWT grant_type and client_id
>
> The client_id value and the access token value are independent.
>
> -- Mike
>
> *From:*oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>
> <mailto:oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>>[mailto:oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>
> <mailto:oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>>]*On Behalf
> Of*Lewis Adam-CAL022
> *Sent:*Monday, February 18, 2013 2:50 PM
> *To:*oauth@ietf.org<mailto:oauth@ietf.org>
> <mailto:oauth@ietf.org<mailto:oauth@ietf.org>>WG
> *Subject:*[OAUTH-WG] JWT grant_type and client_id
>
> Is there any guidance on the usage of client_id when using the JWT
> assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes
> no mention so I assume that it is not required ... but it would be
> necessary if using in conjunction with a HOK profile where the JWT
> assertion is issued to - and may only be used by - the intended client.
> Obviously this is straight forward enough, really I'm just looking to be
> sure that I'm not missing anything.
>
> tx
>
> adam
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org>
> <mailto:OAuth@ietf.org<mailto:OAuth@ietf.org>>
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org>
> <mailto:OAuth@ietf.org<mailto:OAuth@ietf.org>>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
