Are you saying jwt is not an access token type? Phil
Sent from my phone. On 2013-02-28, at 8:58, John Bradley <ve7...@ve7jtb.com> wrote: > Yes, defining scope in JWT is the wrong place. JWT needs to stick to the > security claims needed to process JWT. > > I also don't know how far you get requiring a specific authorization format > for JWT, some AS will wan to use a opaque reference, some might want to use a > user claim or role claim, others may use scopes, combining scopes and claims > is also possible. > > Right now it is up to a AS RS pair to agree on how to communicate > authorization. I don't want MAC to be more restrictive than bearer when it > comes to authorization between AS and RS. > > Hannes wanted to know why JWT didn't define scope. The simple answer is that > it is out of scope for JWT itself. It might be defined in a OAuth access > token profile for JWT but it should not be specific to MAC. > > John B. > On 2013-02-28, at 8:44 AM, Brian Campbell <bcampb...@pingidentity.com> wrote: > >> I think John's point was more that scope is something rather specific to an >> OAuth access token and, while JWT is can be used to represent an access >> token, it's not the only application of JWT. The 'standard' claims in JWT >> are those that are believed (right or wrong) to be widely applicable across >> different applications of JWT. One could argue about it but scope is >> probably not one of those. >> >> It would probably make sense to try and build a profile of JWT specifically >> for OAuth access tokens (though I suspect there are some turtles and dragons >> in there), which might be the appropriate place to define/register a scope >> claim. >> >> >> On Thu, Feb 28, 2013 at 9:24 AM, Phil Hunt <phil.h...@oracle.com> wrote: >>> Are you advocating TWO systems? That seems like a bad choice. >>> >>> I would rather fix scope than go to a two system approach. >>> >>> Phil >>> >>> Sent from my phone. >>> >>> On 2013-02-28, at 8:17, John Bradley <ve7...@ve7jtb.com> wrote: >>> >>> > While scope is one method that a AS could communicate authorization to a >>> > RS, it is not the only or perhaps even the most likely one. >>> > Using scope requires a relatively tight binding between the RS and AS, >>> > UMA uses a different mechanism that describes finer grained operations. >>> > The AS may include roles, user, or other more abstract claims that the >>> > the client may (god help them) pass on to EXCML for processing. >>> > >>> > While having a scopes claim is possible, like any other claim it is not >>> > part of the JWT core security processing claims, and needs to be defined >>> > by extension. >>> > >>> > John B. >>> > On 2013-02-28, at 2:29 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> >>> > wrote: >>> > >>> >> Hi Mike, >>> >> >>> >> when I worked on the MAC specification I noticed that the JWT does not >>> >> have a claim for the scope. I believe that this would be needed to allow >>> >> the resource server to verify whether the scope the authorization server >>> >> authorized is indeed what the client is asking for. >>> >> >>> >> Ciao >>> >> Hannes >>> >> >>> >> _______________________________________________ >>> >> OAuth mailing list >>> >> OAuth@ietf.org >>> >> https://www.ietf.org/mailman/listinfo/oauth >>> > >>> > _______________________________________________ >>> > OAuth mailing list >>> > OAuth@ietf.org >>> > https://www.ietf.org/mailman/listinfo/oauth >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
