Thanks for writing this up. One comment on auth_time...
auth_time OPTIONAL - as defined in section 2 of [OpenID.Core
<https://tools.ietf.org/html/draft-bertocci-oauth-access-token-jwt-00#ref-OpenID.Core>].
Important: as this claim represents the time at which the end user
authenticated, its value will remain the same for all the JWT
access tokens issued within that session. For example: all the
JWT access tokens obtained with a given refresh token will all
have the same value of auth_time, corresponding to the instant in
which the user first authenticated to obtain the refresh token.
During a current session a user can be challenged for additional
credentials or required to re-authenticate due to a number of different
reasons. For example, OIDC prompt=login or max_age=NNN. In this context,
I'd assume that the auth_time value should be updated to the latest time
at which the user authenticated.
If we need a timestamp for when the "session" started, then there could
be a session_start_time claim.
Thanks,
George
On 3/24/19 7:29 PM, Vittorio Bertocci wrote:
Dear all,
I just submitted a draft describing a JWT profile for OAuth 2.0 access
tokens. You can find it in
https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/.
I have a slot to discuss this tomorrow at IETF 104 (I'll be presenting
remotely). I look forward for your comments!
Here's just a bit of backstory, in case you are interested in how this
doc came to be. The trajectory it followed is somewhat unusual.
* Despite OAuth2 not requiring any specific format for ATs, through
the years I have come across multiple proprietary solution using
JWT for their access token. The intent and scenarios addressed by
those solutions are mostly the same across vendors, but the syntax
and interpretations in the implementations are different enough to
prevent developers from reusing code and skills when moving from
product to product.
* I asked several individuals from key products and services to
share with me concrete examples of their JWT access tokens (THANK
YOU Dominick Baier (IdentityServer), Brian Campbell
(PingIdentity), Daniel Dobalian (Microsoft), Karl Guinness (Okta)
for the tokens and explanations!).
I studied and compared all those instances, identifying
commonalities and differences.
* I put together a presentation summarizing my findings and
suggesting a rough interoperable profile (slides:
https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx
<https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx>
) - got early feedback from Filip Skokan on it. Thx Filip!
* The presentation was followed up by 1.5 hours of unconference
discussion, which was incredibly valuable to get tight-loop
feedback and incorporate new ideas. John Bradley, Brian Campbell
Vladimir Dzhuvinov, Torsten Lodderstedt, Nat Sakimura, Hannes
Tschofenig were all there and contributed generously to the
discussion. Thank you!!!
Note: if you were at OSW2019, participated in the discussion and
didn't get credited in the draft, my apologies: please send me a
note and I'll make things right at the next update.
* On my flight back I did my best to incorporate all the ideas and
feedback in a draft, which will be discussed at IETF104 tomorrow.
Rifaat, Hannes and above all Brian were all super helpful in
negotiating the mysterious syntax of the RFC format and submission
process.
I was blown away by the availability, involvement and willingness to
invest time to get things right that everyone demonstrated in the
process. This is an amazing community.
V.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
