Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

I have uploaded the second presentation for today's session, the JWT Profile for Access Tokens. https://datatracker.ietf.org/meeting/interim-2020-oauth-04/session/oauth Regards, Rifaat On Fri, Apr 10, 2020 at 9:35 AM Rifaat Shekh-Yusef wrote: > The following is a link to the coming interim me

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

Hello, More on privacy about "JWT Profile for Access Tokens". The current document REQUIRES the claim names *sub* and *client_id*. * sub  REQUIRED - as defined in section 4.1.2 of [RFC7519]. * client_id  REQUIRED - as defined in section 4.3 of [RFC8693] *1) **sub  REQUIRED* RFC 7519 states:

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

Why does the "sub" need to be required? An access token is to prove authorization. The RS may not need "sub" to constrain fulfilling the client request. For example, it the access token has the same properties as a movie ticket, the RS does not need to have any identifier for who purchased the mo

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

This is a good point, I often use the hotel key analogy as well. The room door is the RS, the key is the access token, the door does not need to know who the user is in order to know if it’s okay to unlock given a particular key. If sub is required, then this profile is limited in use to cases whe

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

There are use cases where the AS can be expected to know (and in fact needs to know) which RSes a token will be used with, and use cases where there is value in obscuring this fact. This spec should not be limited to only one or the other. The work you suggest to support obscuring the RS identit

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

It’s certainly possible to conceive ATs without subs, but I think the profile would be way less useful for SDK developers. On the objections: The sub doesn’t have to be a user, if you look at the earlier discussions the case in which the token has been issued for an application via client creds (he

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

“Ide rockers” is iPhone autocorrect jargon for “identifiers”, of course :P On Mon, Apr 13, 2020 at 13:13 Vittorio Bertocci wrote: > It’s certainly possible to conceive ATs without subs, but I think the > profile would be way less useful for SDK developers. > On the objections: > The sub doesn’t

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

An SDK is going to support "sub" wether it is required or optional. On Mon, Apr 13, 2020 at 1:40 PM Vittorio Bertocci wrote: > “Ide rockers” is iPhone autocorrect jargon for “identifiers”, of course :P > > On Mon, Apr 13, 2020 at 13:13 Vittorio Bertocci > wrote: > >> It’s certainly possible t