[OAUTH-WG] RFC 7662 OAuth 2.0 Token Introspection: token_type

2015-11-17 Thread Vladimir Dzhuvinov 
The "token_type" parameter in introspection responses - is that supposed
to be "access_token" / "refresh_token", or the type of the access token,
e.g. "Bearer"?

https://tools.ietf.org/html/rfc7662#section-2.2

Section 5.1 in RFC 6749 that is referred to points to section 7.1 which
seems to imply the latter?

http://tools.ietf.org/html/rfc6749#section-7.1

Thanks,

Vladimir

-- 
Vladimir Dzhuvinov




smime.p7s
Description: S/MIME Cryptographic Signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] RFC 7662 OAuth 2.0 Token Introspection: token_type

2015-11-17 Thread Hannes Tschofenig 
Hi Vladimir,

it is 'Bearer'.

Section 5.1 in RFC 6749 defines the token_type concept and RFC 6750
registers the 'Bearer' token value (since it defines the bearer token
concept).

We currently have work going on with the PoP token work to also extend
the concept further.

Ciao
Hannes


On 11/17/2015 11:41 AM, Vladimir Dzhuvinov wrote:
> The "token_type" parameter in introspection responses - is that supposed
> to be "access_token" / "refresh_token", or the type of the access token,
> e.g. "Bearer"?
> 
> https://tools.ietf.org/html/rfc7662#section-2.2
> 
> Section 5.1 in RFC 6749 that is referred to points to section 7.1 which
> seems to imply the latter?
> 
> http://tools.ietf.org/html/rfc6749#section-7.1
> 
> Thanks,
> 
> Vladimir
> 
> 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)

2015-11-17 Thread Bill Mills 
Is a data type mapping form JWT to CBOR sufficient then?


 On Monday, November 16, 2015 11:26 PM, Hannes Tschofenig 
 wrote:
   

 #yiv5390846737 #yiv5390846737 -- _filtered #yiv5390846737 
{font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv5390846737 
{font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;}#yiv5390846737 
#yiv5390846737 p.yiv5390846737MsoNormal, #yiv5390846737 
li.yiv5390846737MsoNormal, #yiv5390846737 div.yiv5390846737MsoNormal 
{margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv5390846737 a:link, 
#yiv5390846737 span.yiv5390846737MsoHyperlink 
{color:blue;text-decoration:underline;}#yiv5390846737 a:visited, #yiv5390846737 
span.yiv5390846737MsoHyperlinkFollowed 
{color:purple;text-decoration:underline;}#yiv5390846737 
p.yiv5390846737MsoAcetate, #yiv5390846737 li.yiv5390846737MsoAcetate, 
#yiv5390846737 div.yiv5390846737MsoAcetate 
{margin:0cm;margin-bottom:.0001pt;font-size:8.0pt;}#yiv5390846737 
span.yiv5390846737EmailStyle17 {color:#1F497D;}#yiv5390846737 
span.yiv5390846737BalloonTextChar {}#yiv5390846737 .yiv5390846737MsoChpDefault 
{} _filtered #yiv5390846737 {margin:72.0pt 72.0pt 72.0pt 72.0pt;}#yiv5390846737 
div.yiv5390846737WordSection1 {}#yiv5390846737 Hi William,    You are indeed 
correct that the current document contains a list of one-by-one copies of 
claims from the JWT. The only difference is the data type. Probably it would 
have been better to just reference the semantic from the JWT spec and then 
state the new data type.    I fully understand the concern of defining CWT 
claims that have the same name as JWT claims but then different semantic. This 
would be terribly confusing.    Ciao Hannes    From: William Denniss 
[mailto:wdenn...@google.com]
Sent: 16 November 2015 22:32
To: Hannes Tschofenig
Cc: Erik Wahlström neXus; Carsten Bormann; Mike Jones; 
Subject: Re: [COSE] A draft on CBOR Web Tokens (CWT)    You raise some good 
points, and perhaps that is relevant to future claims. The spec as drafted, is 
a one-for-one copy of the standard JWT claims, which is why I raised this 
point.    Is the goal a CBOR representation of a JWT? If so, can it be defined 
in terms of a JWT?  Would the CNF claim then inherit that representation 
(treating the JWE and JWK as their CBOR equivalents)?    Perhaps if you go the 
separate registry route, those claims that *are* defined the same should at 
least normatively reference JWT?  I want to avoid the whole "on behalf of" / 
"act as" fiasco where things can get re-defined, and muddled.    On Mon, Nov 
16, 2015 at 7:09 AM, Hannes Tschofenig  wrote: Hi 
William,   I have been trying to do a document update to see how well a 
combined registry works and I have been wondering whether it is really worth 
the effort.  To make a good judgment I looked at the CNF claim defined in 
draft-ietf-oauth-proof-of-possession. The CNF claim may contain sub-elements, 
such as a JWE or a JWK.   If we translate the same mechanisms to the CWT (which 
makes sense) then we need to point to the respective COSE structures instead. 
Those do not only use a different encoding but also the functionality does not 
match the JOSE structures 100%. So, there are potentially differences. I am 
also not sure whether we really want to translate the full functionality of all 
the claims from JWT over to the CWT equivalent. It basically puts the burden on 
someone defining new claims (either in JWT or in CWT) to create the 
corresponding structures in a format they may not necessarily be familiar with 
or even care about. I have seen that happening in the RADIUS world protocol 
designers had to also define the equivalent structures for use with Diameter 
and, guess what, most of the definitions were wrong (since the authors did not 
care about Diameter when working on RADIUS).   Ciao
Hannes     From: William Denniss [mailto:wdenn...@google.com]
Sent: 12 November 2015 19:19
To: Erik Wahlström neXus
Cc: Carsten Bormann; Hannes Tschofenig; Mike Jones; c...@ietf.org; 
;a...@ietf.org
Subject: Re: [COSE] A draft on CBOR Web Tokens (CWT)   Regarding the draft 
itself, a few comments:   1.  Can we unify the claim registry with JWT? I'm 
worried about having the same claims defined twice in CWT and JWT with possibly 
conflicting meanings (and needless confusion even when they do match).    
Comparing 
https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-3.1.2
 and https://tools.ietf.org/html/rfc7519#section-4.1.2 which are nearly 
identical, I just don't see the value in re-defining it.   We may add new 
standard claims to JWT in the future (I proposed one in Yokohama on the 
id-event list), it would be good if this didn't need a separate entry in CWT 
too, but could just apply directly (separately, I think you should consider 
this claim, as it helps prevent tokens from being re-used in the wrong 
context).   2. Is Section 4 "Summary of CBOR major types used by defined 
claims" normative 
(https://tools.ietf.org/html/draft-wahlstr

Re: [OAUTH-WG] AD review of draft-ietf-oauth-pop-architecture

2015-11-17 Thread Phil Hunt 
Just wanted to let everyone know I intend to respond shortly. 

I just got back from some holidays and just clearing my backlog now. 

Cheers

Phil

> On Nov 16, 2015, at 12:37, Kathleen Moriarty 
>  wrote:
> 
> Hello,
> 
> I reviewed draft-ietf-oauth-pop-architecture and have a few questions.
> 
> 1. Section 6, Threat Mitigation:
> 
> Last sentence of first paragraph, "To
>   simplify the subsequent description we assume that the token itself
>   is digitally signed by the authorization server and therefore cannot
>   be modified."
> 
> Since bearer tokens are not signed by default, is this proposing a
> change?  If so, where will that change occur?  To state that "it is
> assumed" without it being required anywhere is not a good assumption.
> I'd still see this as a risk or security consideration.  When OAuth is
> re-used by other protocols, I am seeing that re-use leave off basic
> protections that should be assumed like TLS, let alone digital
> signatures.  If this is required in the defined architecture (Section
> 7 - it does show this, but there are no MUSTs that I can find), just
> state that and refer to the requirement.
> 
> 2. Section 6, Threat Mitigation
> 
> Third paragraph, "As an example, TLS with a ciphersuite
>   that offers confidentiality protection has to be applied (which is
>   currently true for all ciphersuites, except for one).
> 
> Please list a reference so the reader knows which ciphersuites are
> acceptable from the recommended ones in RFC7525.  I don't recall there
> being any MTI ciphersuites for OAuth (I'm pretty sure there aren't and
> that we've discussed that already with previous drafts, so this should
> be spelled out more).
> 
> 3. (Nit) Section 6.2, add a comma to improve readability
> From: "Instead of providing confidentiality protection the authorization
>   server could also put the identifier of the client into the protected
>   token with the following semantic:"
> To: "Instead of providing confidentiality protection, the authorization
>   server could also put the identifier of the client into the protected
>   token with the following semantic:"
> 
> Thank you all for your work on this draft!
> -- 
> 
> Best regards,
> Kathleen
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth