I believe there's a fair amount of precedent for something like it but typically it's indicating group membership or roll(s) of a user that's uniquely identified by other claims in a JWT. And, as far as I know, there's nothing standardized for it so it's done more ad hoc. Thus there's not really precedent from a standards perspective and, as I think about it more, it's probably not a terribly good idea to try and define new semantics like that at the 11th hour. So I'm gonna go with the '1) leave it as is' option. And you're right that there are things that could be done without too much issue, should it ever prove to be an issue (which I kinda don't think will happen anyway).
On Fri, Jul 12, 2019 at 7:13 PM Benjamin Kaduk <ka...@mit.edu> wrote: > On Sun, Jul 07, 2019 at 09:32:15AM -0400, Brian Campbell wrote: > > On Sat, Jul 6, 2019 at 2:42 PM Benjamin Kaduk <ka...@mit.edu> wrote: > > > > > > > > > Not to my recollection. I'm honestly not even sure what an array > would > > > mean > > > > for "may_act". Do you mean for "act"? > > > > > > Currently we can say that ad...@example.com "may act" as > u...@example.com. > > > But IIUC we don't have a way to say that either adm...@example.com or > > > adm...@example.com may do so. An array would let us indicate multiple > > > authorized parties. I'm reluctant to actually make such a change at > this > > > point, though, since this is already deployed some places, right? > > > > > > > Okay, sorry, I'm a bit slow but I follow you now. > > > > Indeed this has been deployed in a number of places already. I'd honestly > > don't know if anyone is making use of this particular claim but changing > > from an object to array of objects would be a breaking change. And a > > breaking change is something I'd really like to avoid unless there's a > very > > compelling reason to do so. And while your point here is taken, I don't > > think it rises to that level of compelling. > > > > I see two options at this point: > > 1) leave it as is > > 2) adjust the language around "may_act" such that it could also identify > > an eligible group - this would allow for it to indicate multiple > authorized > > parties but just not by one by one name, which is maybe more desirable > > anyway > > > > What do you think? > > Either option is fine with me. I don't remember how much precedent we have > in the OAuth ecosystem for groups that are identified in this manner, but > if it's a fairly common thing that seems to be slighly preferred. > (Even if we go with (1) and this does become an issue at some point, it > shouldn't be too hard to add a "may_also_act" or similar with the array > semantics.) > > -Ben > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
