The current version of this draft is
"draft-ietf-oauth-access-token-jwt-07" issued on April the 27 th.
This means that comments sent later on on the list have not been
incorporated in this draft.
In particular, this one sent on April the 28 th:
*1) *The title of this spec. is:
JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
So, this spec. is supposed to be targeted to OAuth *2.0. *
However, the header at the top of the page omits to mention it.
Currently, it is :
Internet-Draft OAuth Access Token JWT Profile April 2020
It should rather be:
Internet-Draft OAuth *2.0* Access Token JWT Profile April 2020
It has been acknowledged by Vittorio on April, the 29 th:
/> The title of this spec./
Fixed, thanks!
This means that the draft document currently available on the IETF
server is not reflecting the agreed comments.
Since then, I questioned myself how a client would be able to request an
access token that would be
*strictly compliant with this Profile*.
For doing this exercise, I took a look at section 3 on pages 6 to 8. To
summarize my findings:
* the request MAY include a "resource" parameter. If the request does
not include a "resource" parameter,
the authorization server MUST use in the "aud" claim a default
resource indicator.
* the request MAY include "scope" parameter. If a "scope" parameter is
present in the request,
the authorization server SHOULD use it to infer the value of the
default resource indicator to be used in the "aud" claim.
It seems to mean that if the request includes no "resource" parameter
and no "scope" parameter, the access token will necessarily
include the "sub" claim.
If in the request, there would be present a parameter meaning "I want a
token compliant with *this OAuth 2.0 profile*",
then there would be no problem, but this is not the case.
In the future, if additional parameters are included in the request,
will the "sub" claim necessarily be present in the access token ?
If yes, this may be a privacy concern.
On the list there have been requirements for not making the "sub"
parameter mandatory.
This point needs to be addressed and solved one way or another.
Denis
All,
Based on the 3rd WGLC, we believe that we have consensus to move this
document forward.
https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/
We will be working on the shepherd write-up and then submit the
document to the IESG soon.
Regards,
Rifaat & Hannes
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth