Re: [OAUTH-WG] JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

Fri, 22 May 2020 02:38:46 -0700 

Hi Benjamin,

On Thu, May 14, 2020 at 04:29:43PM +0200, Denis wrote:

Since then, I questioned myself how a client would be able to request an
access token that would be
*strictly compliant with this Profile*.

I don't understand why this is an interesting question to ask.  The access
token and interpretation thereof is (AIUI) generally seen as an internal
matter between AS and RS, with the client having no need to care about the
specifics.



This document is*_a_* Profile for OAuth 2.0 Access Tokens. It is not 
_*the*_ Profile for *_all_ *OAuth 2.0 Access Tokens.



1) A client may wish to obtain an Access Token that corresponds to this 
Profile because, for example,
this document mandates the "sub" claim to be present". Hence, the 
content of the Access Token is not

totally "/an internal matter between AS and RS/".


However, I have not understood how a client could request an Access 
Token that corresponds to *_this_***Profile,
since there is no mandatory parameter in the request (both the "scope" 
parameter and the "resource" parameter are optional).



In the future, we could define _*another*_**Profile. Hence, there is the 
same question:  How could a client request an Access Token

that corresponds to *_that other_***Profile ?


2) When getting a JWT,  how can the client make sure that the access 
token it got is compliant with this Profile ?


RFC 8725 states in section 3.11 :

   3.11. Use Explicit Typing
   Sometimes, one kind of JWT can be confused for another. If a
   particular kind of JWT is subject to such confusion,
   that JWT can include an explicit JWT type value, and the validation
   rules can specify checking the type (...).
   Explicit JWT typing is accomplished by using the "typ" Header
   Parameter.


Wouldn't be wise to include an explicit JWT type value for JWTs 
conformant to this Profile ?



This relates to an email posted by Dominick Baier under the topic "JAR: 
JWT typ" on May 19 :


   This has been brought up before - but no response.

   Either I can’t find it - or it is missing. But is the setting the
   JWT typ explicitly mentioned somewhere?

Denis


To my knowledge, this WG has not previously given guidance
indicating that the client should be involved or specifics for how to do
so, and I do not remember seeing WG agreement that this should change.

-Ben




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth






















					Reply via email to