Re: [OAUTH-WG] JWT grant_type and client_id
Client authentication is optional. But I'm not sure I follow the question? On Wed, May 1, 2013 at 7:44 AM, Phil Hunt phil.h...@oracle.com wrote: I find the text confusing regarding client auth. A client MAY use the client_id request parameter to identify itself when sending requests to the token endpoint It seems to suggest client auth is optional due to the MAY when in fact it is just referring to the client_id identifier which is not authn. I fear many have missed this subtle distinction. Or did you really intend optionality for assertions? Phil On 2013-05-01, at 5:35, Brian Campbell bcampb...@pingidentity.com wrote: Just trying to close the loop on this thread (six weeks later, sorry). New drafts were published last month that (hopefully) have more clear text about the treatment of client_id. And it's been removed from examples where it's optional. http://www.ietf.org/mail-archive/web/oauth/current/msg11213.html On Tue, Mar 19, 2013 at 4:22 AM, Sergey Beryozkin sberyoz...@gmail.comwrote: Hi, Just one remark, the example in [1] shows client_id; IMHO it makes sense to clarify than in this context (where the assertion is used as a grant), it is optional as per: http://tools.ietf.org/html/**rfc6749#section-3.2.1http://tools.ietf.org/html/rfc6749#section-3.2.1 A client MAY use the client_id request parameter to identify itself when sending requests to the token endpoint and otherwise http://tools.ietf.org/html/**rfc6749#section-2.3http://tools.ietf.org/html/rfc6749#section-2.3 dictates how the client authentication is done. By the way, my reading of the main spec's section 2.3 tells me that the only time one would use only client_id in the form payload is when the client secret is empty or perhaps the client is not in the possession of the secret. Does it make sense to completely drop a client_id parameter in the example at [1] in the assertion draft and use an example with a Basic authentication instead ? Thanks, Sergey On 15/03/13 22:12, Brian Campbell wrote: So currently the base assertion document defines scope as an HTTP parameter on the access token request message when using an assertion as a grant[1]. And that applies to both the SAML and JWT grants (perhaps that needs to be more clear?). Also RFC 6749 defines the scope parameter for the client credentials access token request[2], which similarly applies to both SAML and JWT in the case of assertion client authentication using the client_credentials grant type. [1] http://tools.ietf.org/html/**draft-ietf-oauth-assertions-** 10#section-4.1http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-4.1 [2] http://tools.ietf.org/html/**rfc6749#section-4.4.1http://tools.ietf.org/html/rfc6749#section-4.4.1 On Fri, Mar 15, 2013 at 3:43 PM, Lewis Adam-CAL022 Adam.Lewis@motorolasolutions.**com adam.le...@motorolasolutions.com mailto:Adam.Lewis@**motorolasolutions.comadam.le...@motorolasolutions.com wrote: Right ... thinking about this further I think the answer is all of the above. If the JWT is a grant type then as you say it needs a scope param and optionally a client_id param. I argued for the client_id param earlier since it could assist with HOK scenarios once those further develop. But when the JWT is used as an AT then it will definitely require the scope as a claim. So I change my argument to both :) adam -Original Message- From: oauth-boun...@ietf.org mailto:oauth-boun...@ietf.org** [mailto:oauth-boun...@ietf.org mailto:oauth-boun...@ietf.org**] On Behalf Of Sergey Beryozkin Sent: Friday, March 15, 2013 4:31 PM To: oauth@ietf.org mailto:oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Hi On 15/03/13 20:40, Lewis Adam-CAL022 wrote: Hi John, I would like to argue that the scope should be a parameter in the access token request message, the same as it is for the RO creds grant and client creds grant type. This would keep it consistent with the core OAuth grant types that talk directly to the token endpoint. Assuming the assertion is acting as a grant, then it is indeed an access token request message, so IMHO it makes sense to get an outbound scope parameter optionally supported which I guess will imply that the client id will also have to accompany it... Cheers, Sergey Thoughts? adam *From:*John Bradley [mailto:ve7...@ve7jtb.com mailto:ve7...@ve7jtb.com] *Sent:* Friday, March 15, 2013 12:10 PM *To:* Lewis Adam-CAL022 *Cc:* Brian Campbell; WG oauth@ietf.org mailto:oauth@ietf.org@il06**exr02.mot.comhttp://il06exr02.mot.com http://il06exr02.mot.com *Subject:* Re: [OAUTH-WG] JWT grant_type and client_id The spec is a touch vague on that. I think the scopes should
Re: [OAUTH-WG] JWT grant_type and client_id
I find the text confusing regarding client auth. A client MAY use the client_id request parameter to identify itself when sending requests to the token endpoint It seems to suggest client auth is optional due to the MAY when in fact it is just referring to the client_id identifier which is not authn. I fear many have missed this subtle distinction. Or did you really intend optionality for assertions? Phil On 2013-05-01, at 5:35, Brian Campbell bcampb...@pingidentity.com wrote: Just trying to close the loop on this thread (six weeks later, sorry). New drafts were published last month that (hopefully) have more clear text about the treatment of client_id. And it's been removed from examples where it's optional. http://www.ietf.org/mail-archive/web/oauth/current/msg11213.html On Tue, Mar 19, 2013 at 4:22 AM, Sergey Beryozkin sberyoz...@gmail.com wrote: Hi, Just one remark, the example in [1] shows client_id; IMHO it makes sense to clarify than in this context (where the assertion is used as a grant), it is optional as per: http://tools.ietf.org/html/rfc6749#section-3.2.1 A client MAY use the client_id request parameter to identify itself when sending requests to the token endpoint and otherwise http://tools.ietf.org/html/rfc6749#section-2.3 dictates how the client authentication is done. By the way, my reading of the main spec's section 2.3 tells me that the only time one would use only client_id in the form payload is when the client secret is empty or perhaps the client is not in the possession of the secret. Does it make sense to completely drop a client_id parameter in the example at [1] in the assertion draft and use an example with a Basic authentication instead ? Thanks, Sergey On 15/03/13 22:12, Brian Campbell wrote: So currently the base assertion document defines scope as an HTTP parameter on the access token request message when using an assertion as a grant[1]. And that applies to both the SAML and JWT grants (perhaps that needs to be more clear?). Also RFC 6749 defines the scope parameter for the client credentials access token request[2], which similarly applies to both SAML and JWT in the case of assertion client authentication using the client_credentials grant type. [1] http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-4.1 [2] http://tools.ietf.org/html/rfc6749#section-4.4.1 On Fri, Mar 15, 2013 at 3:43 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com wrote: Right ... thinking about this further I think the answer is all of the above. If the JWT is a grant type then as you say it needs a scope param and optionally a client_id param. I argued for the client_id param earlier since it could assist with HOK scenarios once those further develop. But when the JWT is used as an AT then it will definitely require the scope as a claim. So I change my argument to both :) adam -Original Message- From: oauth-boun...@ietf.org mailto:oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org mailto:oauth-boun...@ietf.org] On Behalf Of Sergey Beryozkin Sent: Friday, March 15, 2013 4:31 PM To: oauth@ietf.org mailto:oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Hi On 15/03/13 20:40, Lewis Adam-CAL022 wrote: Hi John, I would like to argue that the scope should be a parameter in the access token request message, the same as it is for the RO creds grant and client creds grant type. This would keep it consistent with the core OAuth grant types that talk directly to the token endpoint. Assuming the assertion is acting as a grant, then it is indeed an access token request message, so IMHO it makes sense to get an outbound scope parameter optionally supported which I guess will imply that the client id will also have to accompany it... Cheers, Sergey Thoughts? adam *From:*John Bradley [mailto:ve7...@ve7jtb.com mailto:ve7...@ve7jtb.com] *Sent:* Friday, March 15, 2013 12:10 PM *To:* Lewis Adam-CAL022 *Cc:* Brian Campbell; WG oauth@ietf.org mailto:oauth@ietf.org@il06exr02.mot.com http://il06exr02.mot.com *Subject:* Re: [OAUTH-WG] JWT grant_type and client_id The spec is a touch vague on that. I think the scopes should be in the assertion and the client can use the scopes outside the assertion to down-scope. Having a standard claim in JWT and SAML for passing scopes is probably useful as part of a profile. John B. On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com
Re: [OAUTH-WG] JWT grant_type and client_id
Hi, Just one remark, the example in [1] shows client_id; IMHO it makes sense to clarify than in this context (where the assertion is used as a grant), it is optional as per: http://tools.ietf.org/html/rfc6749#section-3.2.1 A client MAY use the client_id request parameter to identify itself when sending requests to the token endpoint and otherwise http://tools.ietf.org/html/rfc6749#section-2.3 dictates how the client authentication is done. By the way, my reading of the main spec's section 2.3 tells me that the only time one would use only client_id in the form payload is when the client secret is empty or perhaps the client is not in the possession of the secret. Does it make sense to completely drop a client_id parameter in the example at [1] in the assertion draft and use an example with a Basic authentication instead ? Thanks, Sergey On 15/03/13 22:12, Brian Campbell wrote: So currently the base assertion document defines scope as an HTTP parameter on the access token request message when using an assertion as a grant[1]. And that applies to both the SAML and JWT grants (perhaps that needs to be more clear?). Also RFC 6749 defines the scope parameter for the client credentials access token request[2], which similarly applies to both SAML and JWT in the case of assertion client authentication using the client_credentials grant type. [1] http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-4.1 [2] http://tools.ietf.org/html/rfc6749#section-4.4.1 On Fri, Mar 15, 2013 at 3:43 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com wrote: Right ... thinking about this further I think the answer is all of the above. If the JWT is a grant type then as you say it needs a scope param and optionally a client_id param. I argued for the client_id param earlier since it could assist with HOK scenarios once those further develop. But when the JWT is used as an AT then it will definitely require the scope as a claim. So I change my argument to both :) adam -Original Message- From: oauth-boun...@ietf.org mailto:oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org mailto:oauth-boun...@ietf.org] On Behalf Of Sergey Beryozkin Sent: Friday, March 15, 2013 4:31 PM To: oauth@ietf.org mailto:oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Hi On 15/03/13 20:40, Lewis Adam-CAL022 wrote: Hi John, I would like to argue that the scope should be a parameter in the access token request message, the same as it is for the RO creds grant and client creds grant type. This would keep it consistent with the core OAuth grant types that talk directly to the token endpoint. Assuming the assertion is acting as a grant, then it is indeed an access token request message, so IMHO it makes sense to get an outbound scope parameter optionally supported which I guess will imply that the client id will also have to accompany it... Cheers, Sergey Thoughts? adam *From:*John Bradley [mailto:ve7...@ve7jtb.com mailto:ve7...@ve7jtb.com] *Sent:* Friday, March 15, 2013 12:10 PM *To:* Lewis Adam-CAL022 *Cc:* Brian Campbell; WG oauth@ietf.org mailto:oauth@ietf.org@il06exr02.mot.com http://il06exr02.mot.com *Subject:* Re: [OAUTH-WG] JWT grant_type and client_id The spec is a touch vague on that. I think the scopes should be in the assertion and the client can use the scopes outside the assertion to down-scope. Having a standard claim in JWT and SAML for passing scopes is probably useful as part of a profile. John B. On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com wrote: Hmmm, one more thought ... no scope?? The JWT is the grant, is it assumed that the scope is conveyed as a claim within the token? Otherwise it would seem that it would require a scope. Thoughts? adam *From:*Brian Campbell [mailto:bcampb...@pingidentity.com mailto:bcampb...@pingidentity.com http://pingidentity.com] *Sent:*Thursday, March 14, 2013 4:44 PM *To:*Lewis Adam-CAL022 *Cc:*Mike Jones; WG oauth@ietf.org mailto:oauth@ietf.org mailto:oauth@ietf.org mailto:oauth@ietf.org@il06exr02.mot.com http://il06exr02.mot.com http://il06exr02.mot.com *Subject:*Re: [OAUTH-WG] JWT grant_type and client_id Yes, that is correct. I'm working on new revisions of the drafts that will hopefully make that point more clear. On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022 adam.le
Re: [OAUTH-WG] JWT grant_type and client_id
It's a question of whether the jwt spec alone is used (in which case it needs scope) or whether another profile for access tokens is needed. Since scope is fundamental to oauth, i think it is part if the core set of minimal attributes for access tokens. In fact i cab envision cases where references to authorizing user or client might be eliminated or anonymized leaving only one. Eg grant the holder of this token the right to do scope xyz. Phil Sent from my phone. On 2013-03-15, at 21:03, Mike Jones michael.jo...@microsoft.com wrote: Having a scope claim in specific profiles could make sense. That doesn’t mean that it has to be defined in the JWT spec per se. If anything, people expressed a desire in yesterday’s working group meeting to keep the base claims set small, rather than expanding it. Profiles can register the claims they define in the IANA JWT Claims registry, if they choose. -- Mike From: Lewis Adam-CAL022 Sent: March 15, 2013 3:55 PM To: Brian Campbell CC: oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id I guess that it depends on what JWT is meant to be. My understanding is that it began as something to support Web SSO authentication for OIDC, so scope didn’t make any sense then. Nor does it make any sense as a strict grant type. The use case where it becomes interesting (the one I am looking to) is for when an access token or refresh token is a JWT. I think some vendors are beginning to make their structured tokens a JWT, and that is my current thinking as well … if folks agree that JWT can be used as the structure for OAuth tokens, then it makes sense to include a scope field. If not, then it will be JSON+encryption+signing, just not a JWT J adam From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Friday, March 15, 2013 5:16 PM To: Lewis Adam-CAL022 Cc: Sergey Beryozkin; oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Codifying a claim/attribute for scope that goes in the assertion is something that's been discussed but never seemed to get sufficient consensus regarding how to exactly to do it and if it really provided much value. On Fri, Mar 15, 2013 at 4:12 PM, Brian Campbell bcampb...@pingidentity.com wrote: So currently the base assertion document defines scope as an HTTP parameter on the access token request message when using an assertion as a grant[1]. And that applies to both the SAML and JWT grants (perhaps that needs to be more clear?). Also RFC 6749 defines the scope parameter for the client credentials access token request[2], which similarly applies to both SAML and JWT in the case of assertion client authentication using the client_credentials grant type. [1] http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-4.1 [2] http://tools.ietf.org/html/rfc6749#section-4.4.1 On Fri, Mar 15, 2013 at 3:43 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com wrote: Right ... thinking about this further I think the answer is all of the above. If the JWT is a grant type then as you say it needs a scope param and optionally a client_id param. I argued for the client_id param earlier since it could assist with HOK scenarios once those further develop. But when the JWT is used as an AT then it will definitely require the scope as a claim. So I change my argument to both :) adam -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Sergey Beryozkin Sent: Friday, March 15, 2013 4:31 PM To: oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Hi On 15/03/13 20:40, Lewis Adam-CAL022 wrote: Hi John, I would like to argue that the scope should be a parameter in the access token request message, the same as it is for the RO creds grant and client creds grant type. This would keep it consistent with the core OAuth grant types that talk directly to the token endpoint. Assuming the assertion is acting as a grant, then it is indeed an access token request message, so IMHO it makes sense to get an outbound scope parameter optionally supported which I guess will imply that the client id will also have to accompany it... Cheers, Sergey Thoughts? adam *From:*John Bradley [mailto:ve7...@ve7jtb.com] *Sent:* Friday, March 15, 2013 12:10 PM *To:* Lewis Adam-CAL022 *Cc:* Brian Campbell; WG oauth@ietf.org@il06exr02.mot.com *Subject:* Re: [OAUTH-WG] JWT grant_type and client_id The spec is a touch vague on that. I think the scopes should be in the assertion and the client can use the scopes outside the assertion to down-scope. Having a standard claim in JWT and SAML for passing scopes is probably useful as part of a profile. John B. On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com wrote
Re: [OAUTH-WG] JWT grant_type and client_id
I agree that it’s likely a claim that would be used in access tokens. I’m coming to the conclusion that we should actually write an access token profile for JWT and probably SAML as well. This would be parallel to the kinds of requirements placed on the use of SAML and JWT when used for client authentication and as resource grants. This could only help interoperability, as people would have a place to go to read about best practices for this use case. -- Mike From: Phil Hunt [mailto:phil.h...@oracle.com] Sent: Saturday, March 16, 2013 2:52 AM To: Mike Jones Cc: Brian Campbell; Lewis Adam-CAL022; oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id It's a question of whether the jwt spec alone is used (in which case it needs scope) or whether another profile for access tokens is needed. Since scope is fundamental to oauth, i think it is part if the core set of minimal attributes for access tokens. In fact i cab envision cases where references to authorizing user or client might be eliminated or anonymized leaving only one. Eg grant the holder of this token the right to do scope xyz. Phil Sent from my phone. On 2013-03-15, at 21:03, Mike Jones michael.jo...@microsoft.commailto:michael.jo...@microsoft.com wrote: Having a scope claim in specific profiles could make sense. That doesn’t mean that it has to be defined in the JWT spec per se. If anything, people expressed a desire in yesterday’s working group meeting to keep the base claims set small, rather than expanding it. Profiles can register the claims they define in the IANA JWT Claims registry, if they choose. -- Mike From: Lewis Adam-CAL022 Sent: March 15, 2013 3:55 PM To: Brian Campbell CC: oauth@ietf.orgmailto:oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id I guess that it depends on what JWT is meant to be. My understanding is that it began as something to support Web SSO authentication for OIDC, so scope didn’t make any sense then. Nor does it make any sense as a strict grant type. The use case where it becomes interesting (the one I am looking to) is for when an access token or refresh token is a JWT. I think some vendors are beginning to make their structured tokens a JWT, and that is my current thinking as well … if folks agree that JWT can be used as the structure for OAuth tokens, then it makes sense to include a scope field. If not, then it will be JSON+encryption+signing, just not a JWT ☺ adam From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Friday, March 15, 2013 5:16 PM To: Lewis Adam-CAL022 Cc: Sergey Beryozkin; oauth@ietf.orgmailto:oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Codifying a claim/attribute for scope that goes in the assertion is something that's been discussed but never seemed to get sufficient consensus regarding how to exactly to do it and if it really provided much value. On Fri, Mar 15, 2013 at 4:12 PM, Brian Campbell bcampb...@pingidentity.commailto:bcampb...@pingidentity.com wrote: So currently the base assertion document defines scope as an HTTP parameter on the access token request message when using an assertion as a grant[1]. And that applies to both the SAML and JWT grants (perhaps that needs to be more clear?). Also RFC 6749 defines the scope parameter for the client credentials access token request[2], which similarly applies to both SAML and JWT in the case of assertion client authentication using the client_credentials grant type. [1] http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-4.1 [2] http://tools.ietf.org/html/rfc6749#section-4.4.1 On Fri, Mar 15, 2013 at 3:43 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com wrote: Right ... thinking about this further I think the answer is all of the above. If the JWT is a grant type then as you say it needs a scope param and optionally a client_id param. I argued for the client_id param earlier since it could assist with HOK scenarios once those further develop. But when the JWT is used as an AT then it will definitely require the scope as a claim. So I change my argument to both :) adam -Original Message- From: oauth-boun...@ietf.orgmailto:oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.orgmailto:oauth-boun...@ietf.org] On Behalf Of Sergey Beryozkin Sent: Friday, March 15, 2013 4:31 PM To: oauth@ietf.orgmailto:oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Hi On 15/03/13 20:40, Lewis Adam-CAL022 wrote: Hi John, I would like to argue that the scope should be a parameter in the access token request message, the same as it is for the RO creds grant and client creds grant type. This would keep it consistent with the core OAuth grant types that talk directly to the token endpoint. Assuming the assertion is acting as a grant, then it is indeed an access token
Re: [OAUTH-WG] JWT grant_type and client_id
+1 I’ve been trying to argue this for a bit now … that while OAuth may not deprecate the usage of unstructured access tokens (or prohibiting others from defining their own) that having a WG guidance on what a structured JWT (or SAML) access token would like … I think developers moving forward might be inclined to use it. adam From: Mike Jones [mailto:michael.jo...@microsoft.com] Sent: Saturday, March 16, 2013 12:17 PM To: Phil Hunt Cc: Brian Campbell; Lewis Adam-CAL022; oauth@ietf.org Subject: RE: [OAUTH-WG] JWT grant_type and client_id I agree that it’s likely a claim that would be used in access tokens. I’m coming to the conclusion that we should actually write an access token profile for JWT and probably SAML as well. This would be parallel to the kinds of requirements placed on the use of SAML and JWT when used for client authentication and as resource grants. This could only help interoperability, as people would have a place to go to read about best practices for this use case. -- Mike From: Phil Hunt [mailto:phil.h...@oracle.com] Sent: Saturday, March 16, 2013 2:52 AM To: Mike Jones Cc: Brian Campbell; Lewis Adam-CAL022; oauth@ietf.orgmailto:oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id It's a question of whether the jwt spec alone is used (in which case it needs scope) or whether another profile for access tokens is needed. Since scope is fundamental to oauth, i think it is part if the core set of minimal attributes for access tokens. In fact i cab envision cases where references to authorizing user or client might be eliminated or anonymized leaving only one. Eg grant the holder of this token the right to do scope xyz. Phil Sent from my phone. On 2013-03-15, at 21:03, Mike Jones michael.jo...@microsoft.commailto:michael.jo...@microsoft.com wrote: Having a scope claim in specific profiles could make sense. That doesn’t mean that it has to be defined in the JWT spec per se. If anything, people expressed a desire in yesterday’s working group meeting to keep the base claims set small, rather than expanding it. Profiles can register the claims they define in the IANA JWT Claims registry, if they choose. -- Mike From: Lewis Adam-CAL022 Sent: March 15, 2013 3:55 PM To: Brian Campbell CC: oauth@ietf.orgmailto:oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id I guess that it depends on what JWT is meant to be. My understanding is that it began as something to support Web SSO authentication for OIDC, so scope didn’t make any sense then. Nor does it make any sense as a strict grant type. The use case where it becomes interesting (the one I am looking to) is for when an access token or refresh token is a JWT. I think some vendors are beginning to make their structured tokens a JWT, and that is my current thinking as well … if folks agree that JWT can be used as the structure for OAuth tokens, then it makes sense to include a scope field. If not, then it will be JSON+encryption+signing, just not a JWT ☺ adam From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Friday, March 15, 2013 5:16 PM To: Lewis Adam-CAL022 Cc: Sergey Beryozkin; oauth@ietf.orgmailto:oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Codifying a claim/attribute for scope that goes in the assertion is something that's been discussed but never seemed to get sufficient consensus regarding how to exactly to do it and if it really provided much value. On Fri, Mar 15, 2013 at 4:12 PM, Brian Campbell bcampb...@pingidentity.commailto:bcampb...@pingidentity.com wrote: So currently the base assertion document defines scope as an HTTP parameter on the access token request message when using an assertion as a grant[1]. And that applies to both the SAML and JWT grants (perhaps that needs to be more clear?). Also RFC 6749 defines the scope parameter for the client credentials access token request[2], which similarly applies to both SAML and JWT in the case of assertion client authentication using the client_credentials grant type. [1] http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-4.1 [2] http://tools.ietf.org/html/rfc6749#section-4.4.1 On Fri, Mar 15, 2013 at 3:43 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com wrote: Right ... thinking about this further I think the answer is all of the above. If the JWT is a grant type then as you say it needs a scope param and optionally a client_id param. I argued for the client_id param earlier since it could assist with HOK scenarios once those further develop. But when the JWT is used as an AT then it will definitely require the scope as a claim. So I change my argument to both :) adam -Original Message- From: oauth-boun...@ietf.orgmailto:oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.orgmailto:oauth-boun...@ietf.org
Re: [OAUTH-WG] JWT grant_type and client_id
Hi On 15/03/13 20:40, Lewis Adam-CAL022 wrote: Hi John, I would like to argue that the scope should be a parameter in the access token request message, the same as it is for the RO creds grant and client creds grant type. This would keep it consistent with the core OAuth grant types that talk directly to the token endpoint. Assuming the assertion is acting as a grant, then it is indeed an access token request message, so IMHO it makes sense to get an outbound scope parameter optionally supported which I guess will imply that the client id will also have to accompany it... Cheers, Sergey Thoughts? adam *From:*John Bradley [mailto:ve7...@ve7jtb.com] *Sent:* Friday, March 15, 2013 12:10 PM *To:* Lewis Adam-CAL022 *Cc:* Brian Campbell; WG oauth@ietf.org@il06exr02.mot.com *Subject:* Re: [OAUTH-WG] JWT grant_type and client_id The spec is a touch vague on that. I think the scopes should be in the assertion and the client can use the scopes outside the assertion to down-scope. Having a standard claim in JWT and SAML for passing scopes is probably useful as part of a profile. John B. On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com wrote: Hmmm, one more thought … no scope?? The JWT is the grant, is it assumed that the scope is conveyed as a claim within the token? Otherwise it would seem that it would require a scope. Thoughts? adam *From:*Brian Campbell [mailto:bcampb...@pingidentity.com http://pingidentity.com] *Sent:*Thursday, March 14, 2013 4:44 PM *To:*Lewis Adam-CAL022 *Cc:*Mike Jones; WG oauth@ietf.org mailto:oauth@ietf.org@il06exr02.mot.com http://il06exr02.mot.com *Subject:*Re: [OAUTH-WG] JWT grant_type and client_id Yes, that is correct. I'm working on new revisions of the drafts that will hopefully make that point more clear. On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com wrote: Coming back to this… am I correct in that client_id is not required?We are implementing this spec and want to make sure that we are doing it right.By my understanding the only two parameters that are required in the JWT grant type are urn:ietf:params:oauth:grant-type:jwt-bearerand the assertion. Is this correct? *From:*Mike Jones [mailto:michael.jo...@microsoft.com mailto:michael.jo...@microsoft.com] *Sent:*Monday, February 18, 2013 6:58 PM *To:*Lewis Adam-CAL022;oauth@ietf.org mailto:oauth@ietf.orgWG *Subject:*RE: JWT grant_type and client_id The client_id value and the access token value are independent. -- Mike *From:*oauth-boun...@ietf.org mailto:oauth-boun...@ietf.org[mailto:oauth-boun...@ietf.org mailto:oauth-boun...@ietf.org]*On Behalf Of*Lewis Adam-CAL022 *Sent:*Monday, February 18, 2013 2:50 PM *To:*oauth@ietf.org mailto:oauth@ietf.orgWG *Subject:*[OAUTH-WG] JWT grant_type and client_id Is there any guidance on the usage of client_id when using the JWT assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes no mention so I assume that it is not required … but it would be necessary if using in conjunction with a HOK profile where the JWT assertion is issued to – and may only be used by – the intended client. Obviously this is straight forward enough, really I’m just looking to be sure that I’m not missing anything. tx adam ___ OAuth mailing list OAuth@ietf.org mailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org mailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] JWT grant_type and client_id
Right ... thinking about this further I think the answer is all of the above. If the JWT is a grant type then as you say it needs a scope param and optionally a client_id param. I argued for the client_id param earlier since it could assist with HOK scenarios once those further develop. But when the JWT is used as an AT then it will definitely require the scope as a claim. So I change my argument to both :) adam -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Sergey Beryozkin Sent: Friday, March 15, 2013 4:31 PM To: oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Hi On 15/03/13 20:40, Lewis Adam-CAL022 wrote: Hi John, I would like to argue that the scope should be a parameter in the access token request message, the same as it is for the RO creds grant and client creds grant type. This would keep it consistent with the core OAuth grant types that talk directly to the token endpoint. Assuming the assertion is acting as a grant, then it is indeed an access token request message, so IMHO it makes sense to get an outbound scope parameter optionally supported which I guess will imply that the client id will also have to accompany it... Cheers, Sergey Thoughts? adam *From:*John Bradley [mailto:ve7...@ve7jtb.com] *Sent:* Friday, March 15, 2013 12:10 PM *To:* Lewis Adam-CAL022 *Cc:* Brian Campbell; WG oauth@ietf.org@il06exr02.mot.com *Subject:* Re: [OAUTH-WG] JWT grant_type and client_id The spec is a touch vague on that. I think the scopes should be in the assertion and the client can use the scopes outside the assertion to down-scope. Having a standard claim in JWT and SAML for passing scopes is probably useful as part of a profile. John B. On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com wrote: Hmmm, one more thought ... no scope?? The JWT is the grant, is it assumed that the scope is conveyed as a claim within the token? Otherwise it would seem that it would require a scope. Thoughts? adam *From:*Brian Campbell [mailto:bcampb...@pingidentity.com http://pingidentity.com] *Sent:*Thursday, March 14, 2013 4:44 PM *To:*Lewis Adam-CAL022 *Cc:*Mike Jones; WG oauth@ietf.org mailto:oauth@ietf.org@il06exr02.mot.com http://il06exr02.mot.com *Subject:*Re: [OAUTH-WG] JWT grant_type and client_id Yes, that is correct. I'm working on new revisions of the drafts that will hopefully make that point more clear. On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com wrote: Coming back to this... am I correct in that client_id is not required?We are implementing this spec and want to make sure that we are doing it right. By my understanding the only two parameters that are required in the JWT grant type are urn:ietf:params:oauth:grant-type:jwt-bearerand the assertion. Is this correct? *From:*Mike Jones [mailto:michael.jo...@microsoft.com mailto:michael.jo...@microsoft.com] *Sent:*Monday, February 18, 2013 6:58 PM *To:*Lewis Adam-CAL022;oauth@ietf.org mailto:oauth@ietf.orgWG *Subject:*RE: JWT grant_type and client_id The client_id value and the access token value are independent. -- Mike *From:*oauth-boun...@ietf.org mailto:oauth-boun...@ietf.org[mailto:oauth-boun...@ietf.org mailto:oauth-boun...@ietf.org]*On Behalf Of*Lewis Adam-CAL022 *Sent:*Monday, February 18, 2013 2:50 PM *To:*oauth@ietf.org mailto:oauth@ietf.orgWG *Subject:*[OAUTH-WG] JWT grant_type and client_id Is there any guidance on the usage of client_id when using the JWT assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes no mention so I assume that it is not required ... but it would be necessary if using in conjunction with a HOK profile where the JWT assertion is issued to - and may only be used by - the intended client. Obviously this is straight forward enough, really I'm just looking to be sure that I'm not missing anything. tx adam ___ OAuth mailing list OAuth@ietf.org mailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org mailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] JWT grant_type and client_id
So currently the base assertion document defines scope as an HTTP parameter on the access token request message when using an assertion as a grant[1]. And that applies to both the SAML and JWT grants (perhaps that needs to be more clear?). Also RFC 6749 defines the scope parameter for the client credentials access token request[2], which similarly applies to both SAML and JWT in the case of assertion client authentication using the client_credentials grant type. [1] http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-4.1 [2] http://tools.ietf.org/html/rfc6749#section-4.4.1 On Fri, Mar 15, 2013 at 3:43 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com wrote: Right ... thinking about this further I think the answer is all of the above. If the JWT is a grant type then as you say it needs a scope param and optionally a client_id param. I argued for the client_id param earlier since it could assist with HOK scenarios once those further develop. But when the JWT is used as an AT then it will definitely require the scope as a claim. So I change my argument to both :) adam -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Sergey Beryozkin Sent: Friday, March 15, 2013 4:31 PM To: oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Hi On 15/03/13 20:40, Lewis Adam-CAL022 wrote: Hi John, I would like to argue that the scope should be a parameter in the access token request message, the same as it is for the RO creds grant and client creds grant type. This would keep it consistent with the core OAuth grant types that talk directly to the token endpoint. Assuming the assertion is acting as a grant, then it is indeed an access token request message, so IMHO it makes sense to get an outbound scope parameter optionally supported which I guess will imply that the client id will also have to accompany it... Cheers, Sergey Thoughts? adam *From:*John Bradley [mailto:ve7...@ve7jtb.com] *Sent:* Friday, March 15, 2013 12:10 PM *To:* Lewis Adam-CAL022 *Cc:* Brian Campbell; WG oauth@ietf.org@il06exr02.mot.com *Subject:* Re: [OAUTH-WG] JWT grant_type and client_id The spec is a touch vague on that. I think the scopes should be in the assertion and the client can use the scopes outside the assertion to down-scope. Having a standard claim in JWT and SAML for passing scopes is probably useful as part of a profile. John B. On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com wrote: Hmmm, one more thought ... no scope?? The JWT is the grant, is it assumed that the scope is conveyed as a claim within the token? Otherwise it would seem that it would require a scope. Thoughts? adam *From:*Brian Campbell [mailto:bcampb...@pingidentity.com http://pingidentity.com] *Sent:*Thursday, March 14, 2013 4:44 PM *To:*Lewis Adam-CAL022 *Cc:*Mike Jones; WG oauth@ietf.org mailto:oauth@ietf.org@il06exr02.mot.com http://il06exr02.mot.com *Subject:*Re: [OAUTH-WG] JWT grant_type and client_id Yes, that is correct. I'm working on new revisions of the drafts that will hopefully make that point more clear. On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com wrote: Coming back to this... am I correct in that client_id is not required? We are implementing this spec and want to make sure that we are doing it right.By my understanding the only two parameters that are required in the JWT grant type are urn:ietf:params:oauth:grant-type:jwt-bearer and the assertion. Is this correct? *From:*Mike Jones [mailto:michael.jo...@microsoft.com mailto:michael.jo...@microsoft.com] *Sent:*Monday, February 18, 2013 6:58 PM *To:*Lewis Adam-CAL022;oauth@ietf.org mailto:oauth@ietf.orgWG *Subject:*RE: JWT grant_type and client_id The client_id value and the access token value are independent. -- Mike *From:*oauth-boun...@ietf.org mailto:oauth-boun...@ietf.org[mailto:oauth-boun...@ietf.org mailto:oauth-boun...@ietf.org]*On Behalf Of*Lewis Adam-CAL022 *Sent:*Monday, February 18, 2013 2:50 PM *To:*oauth@ietf.org mailto:oauth@ietf.orgWG *Subject:*[OAUTH-WG] JWT grant_type and client_id Is there any guidance on the usage of client_id when using the JWT assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes no mention so I assume that it is not required ... but it would be necessary if using in conjunction with a HOK profile where the JWT assertion is issued to - and may only be used by - the intended client. Obviously this is straight forward enough, really I'm just looking to be sure that I'm not missing anything. tx adam ___ OAuth mailing list OAuth@ietf.org mailto:OAuth
Re: [OAUTH-WG] JWT grant_type and client_id
Codifying a claim/attribute for scope that goes in the assertion is something that's been discussed but never seemed to get sufficient consensus regarding how to exactly to do it and if it really provided much value. On Fri, Mar 15, 2013 at 4:12 PM, Brian Campbell bcampb...@pingidentity.comwrote: So currently the base assertion document defines scope as an HTTP parameter on the access token request message when using an assertion as a grant[1]. And that applies to both the SAML and JWT grants (perhaps that needs to be more clear?). Also RFC 6749 defines the scope parameter for the client credentials access token request[2], which similarly applies to both SAML and JWT in the case of assertion client authentication using the client_credentials grant type. [1] http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-4.1 [2] http://tools.ietf.org/html/rfc6749#section-4.4.1 On Fri, Mar 15, 2013 at 3:43 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com wrote: Right ... thinking about this further I think the answer is all of the above. If the JWT is a grant type then as you say it needs a scope param and optionally a client_id param. I argued for the client_id param earlier since it could assist with HOK scenarios once those further develop. But when the JWT is used as an AT then it will definitely require the scope as a claim. So I change my argument to both :) adam -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Sergey Beryozkin Sent: Friday, March 15, 2013 4:31 PM To: oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Hi On 15/03/13 20:40, Lewis Adam-CAL022 wrote: Hi John, I would like to argue that the scope should be a parameter in the access token request message, the same as it is for the RO creds grant and client creds grant type. This would keep it consistent with the core OAuth grant types that talk directly to the token endpoint. Assuming the assertion is acting as a grant, then it is indeed an access token request message, so IMHO it makes sense to get an outbound scope parameter optionally supported which I guess will imply that the client id will also have to accompany it... Cheers, Sergey Thoughts? adam *From:*John Bradley [mailto:ve7...@ve7jtb.com] *Sent:* Friday, March 15, 2013 12:10 PM *To:* Lewis Adam-CAL022 *Cc:* Brian Campbell; WG oauth@ietf.org@il06exr02.mot.com *Subject:* Re: [OAUTH-WG] JWT grant_type and client_id The spec is a touch vague on that. I think the scopes should be in the assertion and the client can use the scopes outside the assertion to down-scope. Having a standard claim in JWT and SAML for passing scopes is probably useful as part of a profile. John B. On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com wrote: Hmmm, one more thought ... no scope?? The JWT is the grant, is it assumed that the scope is conveyed as a claim within the token? Otherwise it would seem that it would require a scope. Thoughts? adam *From:*Brian Campbell [mailto:bcampb...@pingidentity.com http://pingidentity.com] *Sent:*Thursday, March 14, 2013 4:44 PM *To:*Lewis Adam-CAL022 *Cc:*Mike Jones; WG oauth@ietf.org mailto:oauth@ietf.org@il06exr02.mot.com http://il06exr02.mot.com *Subject:*Re: [OAUTH-WG] JWT grant_type and client_id Yes, that is correct. I'm working on new revisions of the drafts that will hopefully make that point more clear. On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.com wrote: Coming back to this... am I correct in that client_id is not required? We are implementing this spec and want to make sure that we are doing it right.By my understanding the only two parameters that are required in the JWT grant type are urn:ietf:params:oauth:grant-type:jwt-bearer and the assertion. Is this correct? *From:*Mike Jones [mailto:michael.jo...@microsoft.com mailto:michael.jo...@microsoft.com] *Sent:*Monday, February 18, 2013 6:58 PM *To:*Lewis Adam-CAL022;oauth@ietf.org mailto:oauth@ietf.orgWG *Subject:*RE: JWT grant_type and client_id The client_id value and the access token value are independent. -- Mike *From:*oauth-boun...@ietf.org mailto:oauth-boun...@ietf.org[mailto:oauth-boun...@ietf.org mailto:oauth-boun...@ietf.org]*On Behalf Of*Lewis Adam-CAL022 *Sent:*Monday, February 18, 2013 2:50 PM *To:*oauth@ietf.org mailto:oauth@ietf.orgWG *Subject:*[OAUTH-WG] JWT grant_type and client_id Is there any guidance on the usage of client_id when using the JWT assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes no mention so I assume that it is not required ... but it would be necessary if using in conjunction with a HOK profile where
Re: [OAUTH-WG] JWT grant_type and client_id
Yeah ... I forgot about that. I remember figuring that out at one point and then I guess I lost it. So right, my vote would be to make it more clear, either by repeating the full list of params (my vote) or by at least making a reference. It would be nice to be able to read the JWT or SAML profiles as a self-contained doc. adam From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Friday, March 15, 2013 5:13 PM To: Lewis Adam-CAL022 Cc: Sergey Beryozkin; oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id So currently the base assertion document defines scope as an HTTP parameter on the access token request message when using an assertion as a grant[1]. And that applies to both the SAML and JWT grants (perhaps that needs to be more clear?). Also RFC 6749 defines the scope parameter for the client credentials access token request[2], which similarly applies to both SAML and JWT in the case of assertion client authentication using the client_credentials grant type. [1] http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-4.1 [2] http://tools.ietf.org/html/rfc6749#section-4.4.1 On Fri, Mar 15, 2013 at 3:43 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com wrote: Right ... thinking about this further I think the answer is all of the above. If the JWT is a grant type then as you say it needs a scope param and optionally a client_id param. I argued for the client_id param earlier since it could assist with HOK scenarios once those further develop. But when the JWT is used as an AT then it will definitely require the scope as a claim. So I change my argument to both :) adam -Original Message- From: oauth-boun...@ietf.orgmailto:oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.orgmailto:oauth-boun...@ietf.org] On Behalf Of Sergey Beryozkin Sent: Friday, March 15, 2013 4:31 PM To: oauth@ietf.orgmailto:oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Hi On 15/03/13 20:40, Lewis Adam-CAL022 wrote: Hi John, I would like to argue that the scope should be a parameter in the access token request message, the same as it is for the RO creds grant and client creds grant type. This would keep it consistent with the core OAuth grant types that talk directly to the token endpoint. Assuming the assertion is acting as a grant, then it is indeed an access token request message, so IMHO it makes sense to get an outbound scope parameter optionally supported which I guess will imply that the client id will also have to accompany it... Cheers, Sergey Thoughts? adam *From:*John Bradley [mailto:ve7...@ve7jtb.commailto:ve7...@ve7jtb.com] *Sent:* Friday, March 15, 2013 12:10 PM *To:* Lewis Adam-CAL022 *Cc:* Brian Campbell; WG oauth@ietf.orgmailto:oauth@ietf.org@il06exr02.mot.comhttp://il06exr02.mot.com *Subject:* Re: [OAUTH-WG] JWT grant_type and client_id The spec is a touch vague on that. I think the scopes should be in the assertion and the client can use the scopes outside the assertion to down-scope. Having a standard claim in JWT and SAML for passing scopes is probably useful as part of a profile. John B. On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com wrote: Hmmm, one more thought ... no scope?? The JWT is the grant, is it assumed that the scope is conveyed as a claim within the token? Otherwise it would seem that it would require a scope. Thoughts? adam *From:*Brian Campbell [mailto:bcampb...@pingidentity.commailto:bcampb...@pingidentity.com http://pingidentity.com] *Sent:*Thursday, March 14, 2013 4:44 PM *To:*Lewis Adam-CAL022 *Cc:*Mike Jones; WG oauth@ietf.orgmailto:oauth@ietf.org mailto:oauth@ietf.orgmailto:oauth@ietf.org@il06exr02.mot.comhttp://il06exr02.mot.com http://il06exr02.mot.com *Subject:*Re: [OAUTH-WG] JWT grant_type and client_id Yes, that is correct. I'm working on new revisions of the drafts that will hopefully make that point more clear. On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com wrote: Coming back to this... am I correct in that client_id is not required?We are implementing this spec and want to make sure that we are doing it right. By my understanding the only two parameters that are required in the JWT grant type are urn:ietf:params:oauth:grant-type:jwt-bearerand the assertion. Is this correct? *From:*Mike Jones [mailto:michael.jo...@microsoft.commailto:michael.jo...@microsoft.com mailto:michael.jo...@microsoft.commailto:michael.jo...@microsoft.com] *Sent:*Monday, February 18, 2013 6:58 PM *To:*Lewis Adam-CAL022;oauth@ietf.orgmailto:adam-cal022%3boa...@ietf.org
Re: [OAUTH-WG] JWT grant_type and client_id
I guess that it depends on what JWT is meant to be. My understanding is that it began as something to support Web SSO authentication for OIDC, so scope didn't make any sense then. Nor does it make any sense as a strict grant type. The use case where it becomes interesting (the one I am looking to) is for when an access token or refresh token is a JWT. I think some vendors are beginning to make their structured tokens a JWT, and that is my current thinking as well ... if folks agree that JWT can be used as the structure for OAuth tokens, then it makes sense to include a scope field. If not, then it will be JSON+encryption+signing, just not a JWT :) adam From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Friday, March 15, 2013 5:16 PM To: Lewis Adam-CAL022 Cc: Sergey Beryozkin; oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Codifying a claim/attribute for scope that goes in the assertion is something that's been discussed but never seemed to get sufficient consensus regarding how to exactly to do it and if it really provided much value. On Fri, Mar 15, 2013 at 4:12 PM, Brian Campbell bcampb...@pingidentity.commailto:bcampb...@pingidentity.com wrote: So currently the base assertion document defines scope as an HTTP parameter on the access token request message when using an assertion as a grant[1]. And that applies to both the SAML and JWT grants (perhaps that needs to be more clear?). Also RFC 6749 defines the scope parameter for the client credentials access token request[2], which similarly applies to both SAML and JWT in the case of assertion client authentication using the client_credentials grant type. [1] http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-4.1 [2] http://tools.ietf.org/html/rfc6749#section-4.4.1 On Fri, Mar 15, 2013 at 3:43 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com wrote: Right ... thinking about this further I think the answer is all of the above. If the JWT is a grant type then as you say it needs a scope param and optionally a client_id param. I argued for the client_id param earlier since it could assist with HOK scenarios once those further develop. But when the JWT is used as an AT then it will definitely require the scope as a claim. So I change my argument to both :) adam -Original Message- From: oauth-boun...@ietf.orgmailto:oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.orgmailto:oauth-boun...@ietf.org] On Behalf Of Sergey Beryozkin Sent: Friday, March 15, 2013 4:31 PM To: oauth@ietf.orgmailto:oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Hi On 15/03/13 20:40, Lewis Adam-CAL022 wrote: Hi John, I would like to argue that the scope should be a parameter in the access token request message, the same as it is for the RO creds grant and client creds grant type. This would keep it consistent with the core OAuth grant types that talk directly to the token endpoint. Assuming the assertion is acting as a grant, then it is indeed an access token request message, so IMHO it makes sense to get an outbound scope parameter optionally supported which I guess will imply that the client id will also have to accompany it... Cheers, Sergey Thoughts? adam *From:*John Bradley [mailto:ve7...@ve7jtb.commailto:ve7...@ve7jtb.com] *Sent:* Friday, March 15, 2013 12:10 PM *To:* Lewis Adam-CAL022 *Cc:* Brian Campbell; WG oauth@ietf.orgmailto:oauth@ietf.org@il06exr02.mot.comhttp://il06exr02.mot.com *Subject:* Re: [OAUTH-WG] JWT grant_type and client_id The spec is a touch vague on that. I think the scopes should be in the assertion and the client can use the scopes outside the assertion to down-scope. Having a standard claim in JWT and SAML for passing scopes is probably useful as part of a profile. John B. On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com wrote: Hmmm, one more thought ... no scope?? The JWT is the grant, is it assumed that the scope is conveyed as a claim within the token? Otherwise it would seem that it would require a scope. Thoughts? adam *From:*Brian Campbell [mailto:bcampb...@pingidentity.commailto:bcampb...@pingidentity.com http://pingidentity.com] *Sent:*Thursday, March 14, 2013 4:44 PM *To:*Lewis Adam-CAL022 *Cc:*Mike Jones; WG oauth@ietf.orgmailto:oauth@ietf.org mailto:oauth@ietf.orgmailto:oauth@ietf.org@il06exr02.mot.comhttp://il06exr02.mot.com http://il06exr02.mot.com *Subject:*Re: [OAUTH-WG] JWT grant_type and client_id Yes, that is correct. I'm working on new revisions of the drafts that will hopefully make that point more clear. On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com mailto:adam.le
Re: [OAUTH-WG] JWT grant_type and client_id
Having a scope claim in specific profiles could make sense. That doesn’t mean that it has to be defined in the JWT spec per se. If anything, people expressed a desire in yesterday’s working group meeting to keep the base claims set small, rather than expanding it. Profiles can register the claims they define in the IANA JWT Claims registry, if they choose. -- Mike From: Lewis Adam-CAL022 Sent: March 15, 2013 3:55 PM To: Brian Campbell CC: oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id I guess that it depends on what JWT is meant to be. My understanding is that it began as something to support Web SSO authentication for OIDC, so scope didn’t make any sense then. Nor does it make any sense as a strict grant type. The use case where it becomes interesting (the one I am looking to) is for when an access token or refresh token is a JWT. I think some vendors are beginning to make their structured tokens a JWT, and that is my current thinking as well … if folks agree that JWT can be used as the structure for OAuth tokens, then it makes sense to include a scope field. If not, then it will be JSON+encryption+signing, just not a JWT ☺ adam From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Friday, March 15, 2013 5:16 PM To: Lewis Adam-CAL022 Cc: Sergey Beryozkin; oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Codifying a claim/attribute for scope that goes in the assertion is something that's been discussed but never seemed to get sufficient consensus regarding how to exactly to do it and if it really provided much value. On Fri, Mar 15, 2013 at 4:12 PM, Brian Campbell bcampb...@pingidentity.commailto:bcampb...@pingidentity.com wrote: So currently the base assertion document defines scope as an HTTP parameter on the access token request message when using an assertion as a grant[1]. And that applies to both the SAML and JWT grants (perhaps that needs to be more clear?). Also RFC 6749 defines the scope parameter for the client credentials access token request[2], which similarly applies to both SAML and JWT in the case of assertion client authentication using the client_credentials grant type. [1] http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-4.1 [2] http://tools.ietf.org/html/rfc6749#section-4.4.1 On Fri, Mar 15, 2013 at 3:43 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com wrote: Right ... thinking about this further I think the answer is all of the above. If the JWT is a grant type then as you say it needs a scope param and optionally a client_id param. I argued for the client_id param earlier since it could assist with HOK scenarios once those further develop. But when the JWT is used as an AT then it will definitely require the scope as a claim. So I change my argument to both :) adam -Original Message- From: oauth-boun...@ietf.orgmailto:oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.orgmailto:oauth-boun...@ietf.org] On Behalf Of Sergey Beryozkin Sent: Friday, March 15, 2013 4:31 PM To: oauth@ietf.orgmailto:oauth@ietf.org Subject: Re: [OAUTH-WG] JWT grant_type and client_id Hi On 15/03/13 20:40, Lewis Adam-CAL022 wrote: Hi John, I would like to argue that the scope should be a parameter in the access token request message, the same as it is for the RO creds grant and client creds grant type. This would keep it consistent with the core OAuth grant types that talk directly to the token endpoint. Assuming the assertion is acting as a grant, then it is indeed an access token request message, so IMHO it makes sense to get an outbound scope parameter optionally supported which I guess will imply that the client id will also have to accompany it... Cheers, Sergey Thoughts? adam *From:*John Bradley [mailto:ve7...@ve7jtb.commailto:ve7...@ve7jtb.com] *Sent:* Friday, March 15, 2013 12:10 PM *To:* Lewis Adam-CAL022 *Cc:* Brian Campbell; WG oauth@ietf.orgmailto:oauth@ietf.org@il06exr02.mot.comhttp://il06exr02.mot.com *Subject:* Re: [OAUTH-WG] JWT grant_type and client_id The spec is a touch vague on that. I think the scopes should be in the assertion and the client can use the scopes outside the assertion to down-scope. Having a standard claim in JWT and SAML for passing scopes is probably useful as part of a profile. John B. On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com mailto:adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com wrote: Hmmm, one more thought ... no scope?? The JWT is the grant, is it assumed that the scope is conveyed as a claim within the token? Otherwise it would seem that it would require a scope. Thoughts? adam *From:*Brian Campbell [mailto:bcampb...@pingidentity.commailto:bcampb...@pingidentity.com http://pingidentity.com] *Sent:*Thursday, March 14, 2013 4:44 PM
Re: [OAUTH-WG] JWT grant_type and client_id
Coming back to this ... am I correct in that client_id is not required? We are implementing this spec and want to make sure that we are doing it right. By my understanding the only two parameters that are required in the JWT grant type are urn:ietf:params:oauth:grant-type:jwt-bearer and the assertion. Is this correct? From: Mike Jones [mailto:michael.jo...@microsoft.com] Sent: Monday, February 18, 2013 6:58 PM To: Lewis Adam-CAL022; oauth@ietf.org WG Subject: RE: JWT grant_type and client_id The client_id value and the access token value are independent. -- Mike From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Lewis Adam-CAL022 Sent: Monday, February 18, 2013 2:50 PM To: oauth@ietf.org WG Subject: [OAUTH-WG] JWT grant_type and client_id Is there any guidance on the usage of client_id when using the JWT assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes no mention so I assume that it is not required ... but it would be necessary if using in conjunction with a HOK profile where the JWT assertion is issued to - and may only be used by - the intended client. Obviously this is straight forward enough, really I'm just looking to be sure that I'm not missing anything. tx adam ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] JWT grant_type and client_id
Yes, that is correct. I'm working on new revisions of the drafts that will hopefully make that point more clear. On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com wrote: Coming back to this … am I correct in that client_id is not required? We are implementing this spec and want to make sure that we are doing it right. By my understanding the only two parameters that are required in the JWT grant type are urn:ietf:params:oauth:grant-type:jwt-bearer and the assertion. Is this correct? ** ** ** ** *From:* Mike Jones [mailto:michael.jo...@microsoft.com] *Sent:* Monday, February 18, 2013 6:58 PM *To:* Lewis Adam-CAL022; oauth@ietf.org WG *Subject:* RE: JWT grant_type and client_id ** ** The client_id value and the access token value are independent. ** ** -- Mike*** * ** ** *From:* oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On Behalf Of *Lewis Adam-CAL022 *Sent:* Monday, February 18, 2013 2:50 PM *To:* oauth@ietf.org WG *Subject:* [OAUTH-WG] JWT grant_type and client_id ** ** ** ** Is there any guidance on the usage of client_id when using the JWT assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes no mention so I assume that it is not required … but it would be necessary if using in conjunction with a HOK profile where the JWT assertion is issued to – and may only be used by – the intended client. Obviously this is straight forward enough, really I’m just looking to be sure that I’m not missing anything. ** ** tx adam ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] JWT grant_type and client_id
Hmmm, one more thought ... no scope?? The JWT is the grant, is it assumed that the scope is conveyed as a claim within the token? Otherwise it would seem that it would require a scope. Thoughts? adam From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Thursday, March 14, 2013 4:44 PM To: Lewis Adam-CAL022 Cc: Mike Jones; WG oauth@ietf.org@il06exr02.mot.com Subject: Re: [OAUTH-WG] JWT grant_type and client_id Yes, that is correct. I'm working on new revisions of the drafts that will hopefully make that point more clear. On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.commailto:adam.le...@motorolasolutions.com wrote: Coming back to this ... am I correct in that client_id is not required? We are implementing this spec and want to make sure that we are doing it right. By my understanding the only two parameters that are required in the JWT grant type are urn:ietf:params:oauth:grant-type:jwt-bearer and the assertion. Is this correct? From: Mike Jones [mailto:michael.jo...@microsoft.commailto:michael.jo...@microsoft.com] Sent: Monday, February 18, 2013 6:58 PM To: Lewis Adam-CAL022; oauth@ietf.orgmailto:oauth@ietf.org WG Subject: RE: JWT grant_type and client_id The client_id value and the access token value are independent. -- Mike From: oauth-boun...@ietf.orgmailto:oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.orgmailto:oauth-boun...@ietf.org] On Behalf Of Lewis Adam-CAL022 Sent: Monday, February 18, 2013 2:50 PM To: oauth@ietf.orgmailto:oauth@ietf.org WG Subject: [OAUTH-WG] JWT grant_type and client_id Is there any guidance on the usage of client_id when using the JWT assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes no mention so I assume that it is not required ... but it would be necessary if using in conjunction with a HOK profile where the JWT assertion is issued to - and may only be used by - the intended client. Obviously this is straight forward enough, really I'm just looking to be sure that I'm not missing anything. tx adam ___ OAuth mailing list OAuth@ietf.orgmailto:OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] JWT grant_type and client_id
Yeah, in general the client identification/authentication is independent from the grant being presented. There may be policy (maybe unidentified clients aren't allowed) or other protocol details (like some kind of HoK bound to the client, though that doesn't exist yet) that dictate more requirements on the client identifier. But in the general case they are independent and the client_id is not required. On Mon, Feb 18, 2013 at 5:58 PM, Mike Jones michael.jo...@microsoft.comwrote: The client_id value and the access token value are independent. ** ** -- Mike*** * ** ** *From:* oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On Behalf Of *Lewis Adam-CAL022 *Sent:* Monday, February 18, 2013 2:50 PM *To:* oauth@ietf.org WG *Subject:* [OAUTH-WG] JWT grant_type and client_id ** ** ** ** Is there any guidance on the usage of client_id when using the JWT assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes no mention so I assume that it is not required … but it would be necessary if using in conjunction with a HOK profile where the JWT assertion is issued to – and may only be used by – the intended client. Obviously this is straight forward enough, really I’m just looking to be sure that I’m not missing anything. ** ** tx adam ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] JWT grant_type and client_id
At the moment no, The HoK work is ongoing. If you are talking about using an assertion as a authorization grant the subject should be the resource owner or some proxy for that. In Connect that would be the user_id not the client_id. We have added Authorized party azp to connect id_tokens that would be where the client_id of the requester of the token would go. That however is a Connect extension of JWT and not documented as part of assertion processing. One might expect that in some cases the token endpoint might authenticate the client and match the client_id with the value of azp for increased security. That can be done now and is a bit like symmetric proof of possession where azp is used as a reference. Once you start crossing trust boundaries things get more complicated as the client probably has different client_id for each AS. So at that point you can't use the client_id and need to probably go to asymmetric proof of possession and trust that the initial assertion in the chain has properly authenticated the client. This needs more work to flesh out. I know Justin is also working on some token chaining proposals. John B. On 2013-02-18, at 7:50 PM, Lewis Adam-CAL022 adam.le...@motorolasolutions.com wrote: Is there any guidance on the usage of client_id when using the JWT assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes no mention so I assume that it is not required … but it would be necessary if using in conjunction with a HOK profile where the JWT assertion is issued to – and may only be used by – the intended client. Obviously this is straight forward enough, really I’m just looking to be sure that I’m not missing anything. tx adam ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth smime.p7s Description: S/MIME cryptographic signature ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
[OAUTH-WG] JWT grant_type and client_id
Is there any guidance on the usage of client_id when using the JWT assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes no mention so I assume that it is not required ... but it would be necessary if using in conjunction with a HOK profile where the JWT assertion is issued to - and may only be used by - the intended client. Obviously this is straight forward enough, really I'm just looking to be sure that I'm not missing anything. tx adam ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] JWT grant_type and client_id
The client_id value and the access token value are independent. -- Mike From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Lewis Adam-CAL022 Sent: Monday, February 18, 2013 2:50 PM To: oauth@ietf.org WG Subject: [OAUTH-WG] JWT grant_type and client_id Is there any guidance on the usage of client_id when using the JWT assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 makes no mention so I assume that it is not required ... but it would be necessary if using in conjunction with a HOK profile where the JWT assertion is issued to - and may only be used by - the intended client. Obviously this is straight forward enough, really I'm just looking to be sure that I'm not missing anything. tx adam ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth