Re: [OAUTH-WG] Alignment of JWT Claims and Token Introspection "Claims"

It sounds to me like you're making a good argument for this spec to have its own registry. Registries are easy to establish and use. From: Justin Richer Sent: ‎3/‎4/‎2015 6:43 PM To: Mike Jones; Hannes T

Re: [OAUTH-WG] Alignment of JWT Claims and Token Introspection "Claims"

I'm actually fine with keeping the introspection-specific elements out of the registry (see my note on "active" and how it doesn't fit in JWT below), but I do not want to give up the short names. The short names are already in production, especially "active", which is well understood and used i

Re: [OAUTH-WG] draft-ietf-oauth-proof-of-possession-01: Closing Open Issues before the Deadline

It does so for the same reason that the JWT spec does - to promote interoperability. We can add wording along the likes of "the JWE Compact Serialization MUST be used" if you like. -- Mike -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On

Re: [OAUTH-WG] Alignment of JWT Claims and Token Introspection "Claims"

I have severe concerns with this approach. It’s not appropriate to register arbitrary JSON object member names as JWT claim names – especially when the JSON object member names are not even being used as JWT claim names. Please do not do this, as it would needlessly pollute the JWT claim name

Re: [OAUTH-WG] draft-ietf-oauth-proof-of-possession-01: Closing Open Issues before the Deadline

Why does the specification state "encrypted to a key known to the recipient using the JWE Compact Serialization" is this the only serialization allowed (there is no MUST) ? containing the symmetric key. -Original Message- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Ts

Re: [OAUTH-WG] Alignment of JWT Claims and Token Introspection "Claims"

>The definition of “active” is really up to the authorization server, and I’ve >yet to hear from an actual implementor who’s confused by this definition. When >you’re the one issuing the tokens, you know what an “active” token means to you According to the spec as written the Introspection endpo

Re: [OAUTH-WG] draft-ietf-oauth-proof-of-possession-01: Closing Open Issues before the Deadline

> On Mar 4, 2015, at 3:40 PM, Hannes Tschofenig > wrote: > > Hi all, > > as the deadline is approaching I would like to close the open issues of > the document. There are two open issues listed in the document and I > propose ways to resolve them below > > Open Issue #1: > > "In some convers

Re: [OAUTH-WG] Alignment of JWT Claims and Token Introspection "Claims"

Hi Hannes, thanks for the feedback. Responses inline. > On Mar 3, 2015, at 5:56 AM, Hannes Tschofenig > wrote: > > Hi Justin, Hi all, > > in OAuth we provide two ways for a resource server to make an > authorization decision. > > 1) The resource server receive

Re: [OAUTH-WG] Token Introspection: Misc Review Comments

> On Mar 3, 2015, at 5:59 AM, Hannes Tschofenig > wrote: > > Hi Justin, Hi all, > > here are some random review comments: > > FROM: > > " Since > OAuth 2.0 [RFC6749] defines no direct relationship between the > authorization server and the protected resource, only that they must > ha

[OAUTH-WG] draft-ietf-oauth-proof-of-possession-01: Closing Open Issues before the Deadline

Hi all, as the deadline is approaching I would like to close the open issues of the document. There are two open issues listed in the document and I propose ways to resolve them below Open Issue #1: "In some conversations, we have said that it is the issuer of the JWT that possesses the key,