Dear all,
I am still not sure if I'll have approval to travel to Vancouver and attend
IETF107 in person- but in any case, here's a new revision of the JWT AT
profile.
The main changes are all about Brian and Annabelle's feedback and
suggestions. Notable:
o Eliminated all the references to resource aliases list in aud that I
missed in version 3- in particular, in Sections 2 and 4.
o Introduced a new subsection Section 2.2.1, moved the definitions
of auth_time, acr and amr there and incorporated the language
proposed by Annabelle and Brian.
o In section Section 3 softened (from MUST to SHOULD) the
requirement that ties the resource identifier in the request to
the value in the aud claim of the issued access token.
o Updated the typ header discussion in Section 2.1 to clarify that
it helps preventing resources from accepting id_tokens as JWT
access tokens.
o Updated references to token exchange, resource indicators and JWT
best practices to reflect their RFC status (8793,8707,8725).
For the full list of changes, please refer to the document history section.
Given the discussions we had about it, I want to highlight that the spec
doesn't contain anything about whether the client obtained the AT in
confidential or public capacity. All references about the topic were
already removed in previous versions, but given that we discussed it on the
list anyway I just want to make sure it's clear that that aspect is and
remains out of scope for this profile.
Thx
V.
On Fri, Mar 6, 2020 at 11:37 AM <internet-dra...@ietf.org> wrote:
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>
> Title : JSON Web Token (JWT) Profile for OAuth 2.0
> Access Tokens
> Author : Vittorio Bertocci
> Filename : draft-ietf-oauth-access-token-jwt-04.txt
> Pages : 17
> Date : 2020-03-06
>
> Abstract:
> This specification defines a profile for issuing OAuth 2.0 access
> tokens in JSON web token (JWT) format. Authorization servers and
> resource servers from different vendors can leverage this profile to
> issue and consume access tokens in interoperable manner.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-access-token-jwt-04
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-access-token-jwt-04
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
