+1
On 4/23/18 3:13 PM, Brian Campbell wrote:
I just noticed/remembered that the draft also currently defines a
"cid" claim for the client identifier where Introspection's RFC 7662
already uses "client_id" for the same thing. The reason for using
"cid" was similar in that I was looking to follow the semi-convention
of JWT using three letter short claim names. But I think consistency
with RFC 7662 is more important and meaningful here. So, barring a
rough conscious of objections, I'm going to make that change too in a
soon-to-be next revision of the draft.
On Thu, Apr 19, 2018 at 7:38 AM, Torsten Lodderstedt
<tors...@lodderstedt.net <mailto:tors...@lodderstedt.net>> wrote:
+1 - It will makes thinks much simpler.
Am 19.04.2018 um 00:58 schrieb Mike Jones
<michael.jo...@microsoft.com <mailto:michael.jo...@microsoft.com>>:
I’m OK with this change, given it makes the OAuth suite of specs
more self-consistent.
-- Mike
*From:* OAuth <oauth-boun...@ietf.org
<mailto:oauth-boun...@ietf.org>> *On Behalf Of * Brian Campbell
*Sent:* Wednesday, April 18, 2018 8:17 AM
*To:* Torsten Lodderstedt <tors...@lodderstedt.net
<mailto:tors...@lodderstedt.net>>
*Cc:* oauth <oauth@ietf.org <mailto:oauth@ietf.org>>
*Subject:* Re: [OAUTH-WG] scp claim in
draft-ietf-oauth-token-exchange-12
The draft-ietf-oauth-token-exchange document makes use of scope
and at some point in that work it came to light that, despite the
concept of scope being used lots of places elsewhere, there was
no officially registered JWT claim for scope. As a result, we
(the WG) decided to have draft-ietf-oauth-token-exchange define
and register a JWT claim for scope. It's kind of an awkward place
for it really but that's how it came to be there.
When I added it to the draft, I opted for the semi-convention of
JWT using three letter short claim names.. And decided to use a
JSON array to convey multiple values rather than space
delimiting. It seemed like a good idea at the time - more
consistent with other JWT claim names and cleaner to use the
facilities of JSON rather than a delimited string. That was the
thinking at the time anyway and, as I recall, I asked the WG
about doing it that way at one of the meetings and there was
general, if somewhat absent, nodding in the room.
Looking at this again in the context of the question from Torsten
and his developers, I think using a different name and syntax for
the JWT claim vs.. the Introspection response
member/parameter/claim is probably a mistake. While RFC 7662
Introspection response parameters aren't exactly the same as JWT
claims, they are similar in many respects. So giving consistent
treatment across them to something like scope is
Therefore I propose that the JWT claim for representing scope in
draft-ietf-oauth-token-exchange be changed to be consistent with
the treatment of scope in RFC 7662 OAuth 2.0 Token Introspection.
That effectively means changing the name from "scp" to "scope"
and the value from a JSON array to a string delimited by spaces.
I realize it's late in the process to make this change but
believe doing so will significantly reduce confusion and issues
in the long run.
On Sun, Apr 15, 2018 at 10:43 AM, Torsten Lodderstedt
<tors...@lodderstedt.net <mailto:tors...@lodderstedt.net>> wrote:
Hi all,
I I’m wondering why draft-ietf-oauth-token-exchange-12
defines a claim „scp“ to carry scope values while RFC 7591
and RFC 7662 use a claim „scope“ for the same purpose. As far
as I understand the text, the intension is to represent a
list of RFC6749 scopes. Is this correct? What’s the rationale
behind?
Different claim names for representing scope values confuse
people. I realized that when one of our developers pointed
out that difference recently.
best regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
*/CONFIDENTIALITY NOTICE: This email may contain confidential and
privileged material for the sole use of the intended
recipient(s). Any review, use, distribution or disclosure by
others is strictly prohibited.. If you have received this
communication in error, please notify the sender immediately by
e-mail and delete the message and any file attachments from your
computer. Thank you./*
/CONFIDENTIALITY NOTICE: This email may contain confidential and
privileged material for the sole use of the intended recipient(s). Any
review, use, distribution or disclosure by others is strictly
prohibited.. If you have received this communication in error, please
notify the sender immediately by e-mail and delete the message and any
file attachments from your computer. Thank you./
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--
Distinguished Engineer
Identity Services Engineering Work: george.fletc...@teamaol.com
AOL Inc. AIM: gffletch
Mobile: +1-703-462-3494 Twitter: http://twitter.com/gffletch
Office: +1-703-265-2544 Photos: http://georgefletcher.photography
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
