Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens
+1 plus Anthony's caveats. The draft seems to provide a good reference for implementors by providing how different ASes are using JWT as the access token format. As well as providing valuable information about validation and security considerations.. Regards. Pedro Igor On Wed, Apr 10, 2019 at 8:12 AM Anthony Nadalin wrote: > I support adoption of this draft as a working group document with the > following caveats: > > 1. These are not to be used as ID Tokens/authentication tokens > 2. The privacy issues must be addressed > 3. Needs to be extensible, much like ID-Token, can't be 100% fixed > > > -Original Message- > From: OAuth On Behalf Of Hannes Tschofenig > Sent: Monday, April 8, 2019 10:07 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens > > Hi all, > > this is the call for adoption of the 'JWT Usage in OAuth2 Access Tokens' > document following the positive feedback at the last IETF meeting in Prague. > > Here is the document: > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools..ietf.org%2Fhtml%2Fdraft-bertocci-oauth-access-token-jwt-00&data=02%7C01%7Ctonynad%40microsoft.com%7Ca3d9527e05364fa8578b08d6bc44b170%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636903400616347061&sdata=ePmwaD%2FHCRZhRx%2FwZbb3U72%2FhBalPoFPKtQ67QTxIRw%3D&reserved=0 > > Please let us know by April 22nd whether you accept / object to the > adoption of this document as a starting point for work in the OAuth working > group. > > Ciao > Hannes & Rifaat > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > > ___ > OAuth mailing list > OAuth@ietf.org > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7Ctonynad%40microsoft.com%7Ca3d9527e05364fa8578b08d6bc44b170%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636903400616357060&sdata=zcxw1IR3kNbuZ9u58OOJDv9pLb7cUCooDtlIUH7tS%2Fw%3D&reserved=0 > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens
+1 On Mon, Apr 8, 2019 at 10:07 AM Hannes Tschofenig wrote: > Hi all, > > this is the call for adoption of the 'JWT Usage in OAuth2 Access Tokens' > document following the positive feedback at the last IETF meeting in Prague. > > Here is the document: > https://tools.ietf.org/html/draft-bertocci-oauth-access-token-jwt-00 > > Please let us know by April 22nd whether you accept / object to the > adoption of this document as a starting point for work in the OAuth > working group. > > Ciao > Hannes & Rifaat > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens
+1 For that matter, explicit typing is good and I am a bit ambivalent on the use of `sub`. Also, I need to add the 4th consideration: Although the current privacy consideration is stating about the encryption, it is in relation to the end user exposure. In fact, the by-value access token when involving some PII is by definition leaking information and violating the data minimization principle. This should be clearly delineated. My gut feeling is that it should be encrypted unless it is certain that it does not include sensitive PII as judging whether a claim may form a PII is too hard for an average developer. -Original Message- From: OAuth On Behalf Of Anthony Nadalin Sent: Wednesday, April 10, 2019 8:12 PM To: Hannes Tschofenig ; oauth@ietf.org Subject: Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens I support adoption of this draft as a working group document with the following caveats: 1. These are not to be used as ID Tokens/authentication tokens 2. The privacy issues must be addressed 3. Needs to be extensible, much like ID-Token, can't be 100% fixed -Original Message- From: OAuth On Behalf Of Hannes Tschofenig Sent: Monday, April 8, 2019 10:07 AM To: oauth@ietf.org Subject: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens Hi all, this is the call for adoption of the 'JWT Usage in OAuth2 Access Tokens' document following the positive feedback at the last IETF meeting in Prague. Here is the document: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-bertocci-oauth-access-token-jwt-00&data=02%7C01%7Ctonynad%40microsoft.com%7Ca3d9527e05364fa8578b08d6bc44b170%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636903400616347061&sdata=ePmwaD%2FHCRZhRx%2FwZbb3U72%2FhBalPoFPKtQ67QTxIRw%3D&reserved=0 Please let us know by April 22nd whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group. Ciao Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. ___ OAuth mailing list OAuth@ietf.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7Ctonynad%40microsoft.com%7Ca3d9527e05364fa8578b08d6bc44b170%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636903400616357060&sdata=zcxw1IR3kNbuZ9u58OOJDv9pLb7cUCooDtlIUH7tS%2Fw%3D&reserved=0 ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens
I support adoption of this draft as a working group document with the following caveats: 1. These are not to be used as ID Tokens/authentication tokens 2. The privacy issues must be addressed 3. Needs to be extensible, much like ID-Token, can't be 100% fixed -Original Message- From: OAuth On Behalf Of Hannes Tschofenig Sent: Monday, April 8, 2019 10:07 AM To: oauth@ietf.org Subject: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens Hi all, this is the call for adoption of the 'JWT Usage in OAuth2 Access Tokens' document following the positive feedback at the last IETF meeting in Prague. Here is the document: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-bertocci-oauth-access-token-jwt-00&data=02%7C01%7Ctonynad%40microsoft.com%7Ca3d9527e05364fa8578b08d6bc44b170%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636903400616347061&sdata=ePmwaD%2FHCRZhRx%2FwZbb3U72%2FhBalPoFPKtQ67QTxIRw%3D&reserved=0 Please let us know by April 22nd whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group. Ciao Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. ___ OAuth mailing list OAuth@ietf.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7Ctonynad%40microsoft.com%7Ca3d9527e05364fa8578b08d6bc44b170%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636903400616357060&sdata=zcxw1IR3kNbuZ9u58OOJDv9pLb7cUCooDtlIUH7tS%2Fw%3D&reserved=0 ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
