As it’s currently written it’s not really limited to defining JWT claims, and 
so I’m with John that if that’s what this turns into and stays that way then 
it’s fine. I’m very afraid of scope creep and this being used for something it 
shouldn’t be.

And, as Mike well knows, I did not support the decision to bring JWT to this 
group, nor do I think we should be necessarily bound by the mistakes of the 
past when making future decisions of what to work on. :)

 — Justin

> On Jan 20, 2016, at 5:07 PM, John Bradley <ve7...@ve7jtb.com> wrote:
> 
> So if this is scoped to be a registry for the values of a JWT claim then it 
> is fine.
> We should discourage people from thinking that it is part of the OAuth 
> protocol vs JWT claims.
> 
> John B.
> 
>> On Jan 20, 2016, at 6:29 PM, Mike Jones <michael.jo...@microsoft.com> wrote:
>> 
>> The primary purpose of the specification is to establish a registry for 
>> "amr" JWT claim values.  This is important, as it increases interoperability 
>> among implementations using this claim.
>> 
>> It's a fair question whether "requested_amr" should be kept or dropped.  I 
>> agree with John and James that it's bad architecture.  I put it in the -00 
>> individual draft to document existing practice.  I suspect that should the 
>> draft is adopted by the working group as a starting point, one of the first 
>> things the working group will want to decide is whether to drop it.  I 
>> suspect that I know how this will come out and I won't be sad, 
>> architecturally, to see it go.
>> 
>> As to whether this belongs in the OAuth working group, long ago it was 
>> decided that JWT and JWT claim definitions were within scope of the OAuth 
>> working group.  That ship has long ago sailed, both in terms of RFC 7519 and 
>> it continues to sail, for instance, in draft-ietf-oauth-proof-of-possession, 
>> which defines a new JWT claim, and is in the RFC Editor Queue.  Defining a 
>> registry for values of the "amr" claim, which is registered in the 
>> OAuth-established registry at http://www.iana.org/assignments/jwt, is 
>> squarely within the OAuth WG's mission for the creation and stewardship of 
>> JWT.
>> 
>>                              -- Mike
>> 
>> -----Original Message-----
>> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley
>> Sent: Wednesday, January 20, 2016 12:44 PM
>> To: Justin Richer <jric...@mit.edu>
>> Cc: <oauth@ietf.org> <oauth@ietf.org>
>> Subject: Re: [OAUTH-WG] Call for Adoption: Authentication Method Reference 
>> Values
>> 
>> I see your point that it is a fine line reporting how a person authenticated 
>> to a Authorization endpoit (it might be by SAML etc) and encouraging people 
>> to use OAuth for Authentication.
>> 
>> We already have the amr response in connect.  The only thing really missing 
>> is a registry.  Unless this is a sneaky way to get requested_amr into 
>> Connect?
>> 
>> John B.
>>> On Jan 20, 2016, at 5:37 PM, Justin Richer <jric...@mit.edu> wrote:
>>> 
>>> Just reiterating my stance that this document detailing user authentication 
>>> methods has no place in the OAuth working group.
>>> 
>>> — Justin
>>> 
>>>> On Jan 19, 2016, at 6:48 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> 
>>>> wrote:
>>>> 
>>>> Hi all,
>>>> 
>>>> this is the call for adoption of Authentication Method Reference
>>>> Values, see
>>>> https://tools.ietf.org/html/draft-jones-oauth-amr-values-03
>>>> 
>>>> Please let us know by Feb 2nd whether you accept / object to the
>>>> adoption of this document as a starting point for work in the OAuth
>>>> working group.
>>>> 
>>>> Note: The feedback during the Yokohama meeting was inconclusive,
>>>> namely
>>>> 9 for / zero against / 6 persons need more information.
>>>> 
>>>> You feedback will therefore be important to find out whether we
>>>> should do this work in the OAuth working group.
>>>> 
>>>> Ciao
>>>> Hannes & Derek
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to