Thanks for the catch! Will add a mention of that in section 2.1 as well.

 

From: OAuth <oauth-boun...@ietf.org> On Behalf Of Brian Campbell
Sent: Thursday, April 16, 2020 1:16 PM
To: Aaron Parecki <aa...@parecki.com>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 
2.0 Access Tokens"

 

I'll +1 that 

 

On Thu, Apr 16, 2020 at 2:14 PM Aaron Parecki <aa...@parecki.com 
<mailto:aa...@parecki.com> > wrote:

My mistake! In that case, my request is editorial, to mention that in section 
2.1 where it first talks about signing algorithms.




----

Aaron Parecki

aaronparecki.com <http://aaronparecki.com> 

@aaronpk <http://twitter.com/aaronpk> 

 

 

 

On Thu, Apr 16, 2020 at 1:12 PM Brian Campbell <bcampb...@pingidentity.com 
<mailto:bcampb...@pingidentity.com> > wrote:

sec 4 does have "The resource server MUST reject any JWT in which the value of 
"alg" is "none".'

 

On Thu, Apr 16, 2020 at 1:09 PM Aaron Parecki <aa...@parecki.com 
<mailto:aa...@parecki.com> > wrote:

Section 2.1 says:

 

> Although JWT access tokens can use any signing algorithm, use of

> asymmetric algorithms is RECOMMENDED

 

Can this be strengthened to disallow the `none` algorithm? Something like 
adding "... and MUST NOT use the "none" algorithm".

 

Given that the JWT BCP doesn't disallow the "none" algorithm, technically 
someone could follow both this JWT Access Token spec and the JWT BCP spec and 
end up with an implementation that allows an AS to accept JWTs with the "none" 
algorithm.

 

----

Aaron Parecki

aaronparecki.com <http://aaronparecki.com> 

@aaronpk <http://twitter..com/aaronpk> 

 

 

 

On Wed, Apr 15, 2020 at 11:59 AM Rifaat Shekh-Yusef <rifaat.i...@gmail.com 
<mailto:rifaat.i...@gmail.com> > wrote:

Hi all,

 

This is a second working group last call for "JSON Web Token (JWT) Profile for 
OAuth 2.0 Access Tokens".

 

Here is the document:

https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06

 

Please send your comments to the OAuth mailing list by April 29, 2020.

 

Regards,

 Rifaat & Hannes

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org> 
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org> 
https://www.ietf.org/mailman/listinfo/oauth


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately by 
e-mail and delete the message and any file attachments from your computer. 
Thank you.


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited..  If you have 
received this communication in error, please notify the sender immediately by 
e-mail and delete the message and any file attachments from your computer. 
Thank you.

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to