: Vittorio Bertocci , oauth
Subject: RE: [EXTERNAL] [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for
OAuth 2.0 Access Tokens"
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you can confirm the sender and know the
content is
FC and in market vendors used
proprietary functional equivalents. What other interoperable
mechanisms would you offer in addition to the ones listed here?
*From: *OAuth on behalf of Denis
*Date: *Thursday, April 9, 2020 at 09:26
*To: *oauth
*Subject: *Re: [OAUTH-WG] WGLC on "JSON Web To
are thinking of that calls
> > for a version? If it’s a matter of extensions, those should always be
> > possible – it’s more breaking changes that require versioning, but I
> > don’t recall precedents in similar specs.
> >
> > If this is aimed at mitigating the “AS
be for- at least at the time in which the spec was incepted. In
fact, resource indicators was not even RFC and in market vendors used
proprietary functional equivalents. What other interoperable
mechanisms would you offer in addition to the ones listed here?
*From: *OAuth on behalf of Denis
:26
To: oauth
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0
Access Tokens"
I have three concerns, two of them being related to privacy.
1) Privacy has not really been a concern in the WG since originally the AT and
the RS were co-located. However, this dr
I have three concerns, two of them being related to privacy.
1) Privacy has not really been a concern in the WG since originally the
AT and the RS were co-located. However, this draft now recognizes
that there may exist cases where "the authorization server and resource
server are not co-locate
Thanks Vittorio for the thorough response!
I agree that how scopes are handled is very different across
deployments. Scopes used for an RP with a mobile app (e.g. something
like OpenTable) are going to be very different than a multi-tenant
enterprise system with fixed services and roles that a
Thanks Annabelle and George! I am consolidating replies to both your latest
comments in this mail. This seems a hard rock to lift, but it also seems to be
the last one 😊.
The TL;DR is, I am not completely opposed to relaxing the constraints and
turning them into security considerations, but I
: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0
Access Tokens"
Preventing token substitution/confusion was not at all the aim of my comment. I
only brought that up in an attempt to bridge what looked like a communication
gap in Annabelle's and your discussion
;
>
>
> On Wed, Mar 25, 2020 at 12:57 PM wrote:
>
> That works for me!
>
>
>
> *From:* George Fletcher
> *Sent:* Wednesday, March 25, 2020 11:56 AM
> *To:* vittorio.berto...@auth0.com; 'Brian Campbell' 40pingidentity@dmarc.ietf.org>
> *Cc:* '
To: "vittorio.bertocci=40auth0@dmarc.ietf.org"
, 'George Fletcher'
, 'Brian Campbell'
Cc: 'oauth'
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0
Access Tokens"
This is another manifestation of the limits of jwks_u
#x27;
Cc: 'oauth'
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0
Access Tokens"
This is another manifestation of the limits of jwks_uri that I’ve brought up on
the list
previously<https://mailarchive.ietf.org/arch/msg/oauth/eCZ-wUU2iwTyfx-
sign JWT ATs” work better?
From: Brian Campbell
Date: Wednesday, March 25, 2020 at 14:26
To: Vittorio Bertocci
Cc: George Fletcher , Brian Campbell
, oauth
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0
Access Tokens"
It seems to me that leaving that ou
7 PM wrote:
> That works for me!
>
>
>
> *From:* George Fletcher
> *Sent:* Wednesday, March 25, 2020 11:56 AM
> *To:* vittorio.berto...@auth0.com; 'Brian Campbell' 40pingidentity....@dmarc.ietf.org>
> *Cc:* 'Brian Campbell' ; 'oauth' <
> oau
That works for me!
From: George Fletcher
Sent: Wednesday, March 25, 2020 11:56 AM
To: vittorio.berto...@auth0.com; 'Brian Campbell'
Cc: 'Brian Campbell' ; 'oauth'
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0
Access T
; Vittorio Bertocci
; oauth
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access
Tokens"
I don't think you are missing anything, George (except that, to be pedantic,
`kid` is a header rather than a claim).
The question gave me pause, however,
ance further.
From: Brian Campbell
Sent: Wednesday, March 25, 2020 11:21 AM
To: George Fletcher
Cc: Brian Campbell ; Vittorio Bertocci
; oauth
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0
Access Tokens"
I don't think you are missing anything, Geor
> the reasons listed below, or any other reason they might have) and a
> headsup to RSes so that they don’t make assumptions.
>
>
>
> *From:* Brian Campbell
>
> *Sent:* Wednesday, March 25, 2020 8:48 AM
> *To:* Vittorio Bertocci
>
> *Cc:* Richard Backman, Annabell
org>
*Subject:* Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth
2.0 Access Tokens"
I'm gonna go out on a limb and guess/suggest that implicit in Annabelle's
comment was an assumption that signing ATs and ID Tokens with different
keys would be done to prevent tok
don’t make assumptions.
>
>
>
> *From:* Brian Campbell
> *Sent:* Wednesday, March 25, 2020 8:48 AM
> *To:* Vittorio Bertocci
> *Cc:* Richard Backman, Annabelle ; oauth <
> oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for
asons listed below, or any other reason they might have) and a headsup to
RSes so that they don’t make assumptions.
From: Brian Campbell
Sent: Wednesday, March 25, 2020 8:48 AM
To: Vittorio Bertocci
Cc: Richard Backman, Annabelle ; oauth
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JW
;JSON Web Token (JWT) Profile for OAuth 2.0
Access Tokens"
On Wed, Mar 25, 2020 at 3:53 AM Vittorio Bertocci
mailto:40auth0@dmarc.ietf.org> > wrote:
>4 p1: Saying asymmetric signatures are RECOMMENDED presupposes that key
>distribution is the implementer’s prim
I'm gonna go out on a limb and guess/suggest that implicit in Annabelle's
comment was an assumption that signing ATs and ID Tokens with different
keys would be done to prevent token substitution/confusion. And there's not
really a practical way to achieve that with the mechanics of the jwks_uri.
O
On Wed, Mar 25, 2020 at 3:53 AM Vittorio Bertocci wrote:
> *>4 p1: Saying asymmetric signatures are RECOMMENDED presupposes that key
> distribution is the implementer’s primary concern. MAC-based
> implementations shouldn’t be seen as some weird edge case scenario (though
> it’d be worth includin
that step?
Knits: will sweep thru them tomorrow and apply to the text accordingly. THANK
YOU!
From: OAuth on behalf of "Richard Backman, Annabelle"
Date: Tuesday, March 24, 2020 at 15:45
To: 'oauth'
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for
To borrow a term from ML, I think the "aud", "scope", and resource
indicator-related text is overfitted to a specific set of deployment scenarios,
and a specific way of using scopes and resource indicators.
Consider the following:
1. There may be no "scope" parameter
The "scope" parameter is OP
uth'
Subject: RE: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0
Access Tokens"
Just a general comment, OIDC has been designed for a specific reason (“identity
layer on top of the OAuth 2.0”) whereas JWT access tokens are used for more
applications. Since the goa
Thanks George for the super thorough review and feedback!
Inline
> Section 1. Introduction
��� second line: scenario should be plural --> scenarios
��� second sentence: "are not ran by" --> "are not run by"
�� cofidentiality --> confidentiality
Fixed. Thanks!
>
proprietary JWT
access tokens layout”, I feel it is restrictive.
Best,
Nikos
From: Vittorio Bertocci
Sent: Tuesday, March 24, 2020 7:57 PM
To: Nikos Fotiou
Cc: Hannes Tschofenig ; oauth
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0
Access Tokens"
ed
from the scopes via scopes stuffing.
From: OAuth on behalf of George Fletcher
Date: Tuesday, March 24, 2020 at 11:48
To: Vittorio Bertocci , Takahiko Kawasaki
Cc: oauth
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access
Tokens"
Focusing just on
resource was a mandatory request param) to v2, where the resource was inferred
from the scopes via scopes stuffing.
From: OAuth on behalf of George Fletcher
Date: Tuesday, March 24, 2020 at 11:48
To: Vittorio Bertocci , Takahiko Kawasaki
Cc: oauth
Subject: Re: [OAUTH-WG] WGLC on "JSON Web
Focusing just on this comment...
This assumes the system uses a specific implementation of scopes values
(e.g. 'read', 'write', 'delete'). It is very possible that in the
context of a calendar services and an inbox service... the system
defines scopes like 'cal-r', 'cal-w', 'mail-r', mail-w' i
in privacy/security attacks.
>>
>> - IMHO The token validation procedure it too bound to the particular
>> discovery mechanisms mentioned at the beginning of this section. E.g., Step
>> 2 mentions a “registration” process, and Step 3 mentions and an “Issuer
&g
er included in the iss claim”
>
>
>
>
>
> Best,
>
> Nikos
>
>
>
> *From:* OAuth *On Behalf Of *Hannes Tschofenig
> *Sent:* Monday, March 23, 2020 11:18 PM
> *To:* oauth
> *Subject:* [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0
Feedback on the spec...
Section 1. Introduction
��� second line: scenario should be plural --> scenarios
��� second sentence: "are not ran by" --> "are not run by"
Section 2.2.1 Authentication Information Claims
��� I'm not sure that this definition of `auth_time` allows for th
ult in privacy/security attacks.
>>
>> - IMHO The token validation procedure it too bound to the particular
>> discovery mechanisms mentioned at the beginning of this section. E.g., Step
>> 2 mentions a “registration” process, and Step 3 mentions and an “Issuer
>> Identif
mentioned that the resource server “must validate that the JWT
> access token has been singed with a signing key that corresponds to the
> authorization server included in the iss claim”
>
>
>
>
>
> Best,
>
> Nikos
>
>
>
> *From:* OAuth *On Behalf Of *Hannes Tsc
server included in the iss claim
Best,
Nikos
From: OAuth On Behalf Of Hannes Tschofenig
Sent: Monday, March 23, 2020 11:18 PM
To: oauth
Subject: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0
Access Tokens"
Hi all,
this is a working group last call
Hi all,
this is a working group last call for "JSON Web Token (JWT) Profile for OAuth
2.0 Access Tokens".
Here is the document:
https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04
Please send you comments to the OAuth mailing list by April 6, 2020.
Ciao
Hannes & Rifaat
IMPORTANT NO
39 matches
Mail list logo
