Yes to both questions. On Tue, Jun 14, 2022 at 2:22 PM Warren Parad <wpa...@rhosys.ch> wrote:
> Is it helpful to challenge this implementation? (and is this email thread > the right place to do it?) > > On Tue, Jun 14, 2022 at 5:27 PM Rifaat Shekh-Yusef < > rifaat.s.i...@gmail.com> wrote: > >> It is a Nested JWT with at least *two related subjects*, one in the >> enclosed JWT and another in the enclosing JWT. >> Having said that, I do not have a strong opinion on the name and we could >> potentially change it to a name that more accurately reflects the scope of >> the document, if needed. >> >> The justification for this is that in a number of use cases there is a >> need for both JWTs to be present, to allow the resource server to apply >> authorization based on who requested the access to the resource and on >> behalf of who is the request. For example, a parent ordering medication for >> their child. There are other use cases described in the document. >> >> Regards, >> Rifaat >> >> >> >> >> On Tue, Jun 14, 2022 at 11:09 AM Warren Parad <wpa...@rhosys.ch> wrote: >> >>> After reading the draft I also have some concerns. This still isn't >>> multi-subject, right? As there is only one subject, there just happens to >>> be a new claim with additional information in it. I'm still behind on the >>> justification for creating this, as at first glance, either the user got an >>> access token on behalf of the other user to access their resources or they >>> are impersonating the other user. So I'm not totally sure I understand the >>> immediate value/problem statement, but that could be discussed separately. >>> >>> There's still only one subject, right? I would recommend that >>> `multi-subject` be removed from the draft name. For instance, why not: >>> >>> - Nested Subject JWT Claims >>> >>> Or maybe we want to talk about the value: >>> >>> - Delegating Authorization using Nested Subject Claims in JWTs >>> >>> >>> >>> On Tue, Jun 14, 2022 at 5:05 PM Rifaat Shekh-Yusef < >>> rifaat.s.i...@gmail.com> wrote: >>> >>>> Hi Dick, >>>> >>>> The initial scope of the document was very limited to extending the >>>> existing Nested JWT to allow the enclosing JWT to have its own claims. >>>> Since then, it was clear that there are many use cases that need such a >>>> mechanism that requires more than just a simple nesting of JWTs. That's the >>>> reason I changed the name, to reflect the larger scope of this document. >>>> >>>> I do not mind changing the name, if it makes sense. >>>> Would changing the name to Multi-Subject Nested JWT help address your >>>> concern? >>>> >>>> Regards, >>>> Rifaat >>>> >>>> >>>> >>>> >>>> On Tue, Jun 14, 2022 at 10:46 AM Dick Hardt <dick.ha...@gmail.com> >>>> wrote: >>>> >>>>> Hi Rifaat >>>>> >>>>> I'm suspecting there was a conversation on changing the name to >>>>> multi-subject JWT. Would you provide a pointer or short summary? >>>>> >>>>> I find the name concerning as I am looking at a very different concept >>>>> that would also be considered a multi-subject JWT. >>>>> >>>>> >>>>> My use case is where user accounts have been merged, and the issuer >>>>> has multiple "sub" claims for the same user and would like to include all >>>>> the values in the JWT to signal to the RP that the accounts have been >>>>> merged. >>>>> >>>>> I was considering calling it "aka" and it would be an array of >>>>> identifiers. "aka" => Also Known As >>>>> >>>>> /Dick >>>>> >>>>> On Tue, Jun 14, 2022 at 5:25 AM Rifaat Shekh-Yusef < >>>>> rifaat.s.i...@gmail.com> wrote: >>>>> >>>>>> I have just submitted an updated version of the *Multi-Subject JWT* >>>>>> draft (formerly known as Nested JWT) with more details. >>>>>> I would appreciate any reviews and feedback on this version. >>>>>> https://datatracker.ietf.org/doc/html/draft-yusef-oauth-nested-jwt >>>>>> >>>>>> Regards, >>>>>> Rifaat >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
