I have uploaded the second presentation for today's session, the JWT
Profile for Access Tokens.
https://datatracker.ietf.org/meeting/interim-2020-oauth-04/session/oauth
Regards,
Rifaat
On Fri, Apr 10, 2020 at 9:35 AM Rifaat Shekh-Yusef
wrote:
> The following is a link to the coming interim me
Hello,
More on privacy about "JWT Profile for Access Tokens".
The current document REQUIRES the claim names *sub* and *client_id*.
* sub REQUIRED - as defined in section 4.1.2 of [RFC7519].
* client_id REQUIRED - as defined in section 4.3 of [RFC8693]
*1) **sub REQUIRED*
RFC 7519 states:
Why does the "sub" need to be required?
An access token is to prove authorization. The RS may not need "sub" to
constrain fulfilling the client request.
For example, it the access token has the same properties as a movie ticket,
the RS does not need to have any identifier for who purchased the mo
This is a good point, I often use the hotel key analogy as well. The room
door is the RS, the key is the access token, the door does not need to know
who the user is in order to know if it’s okay to unlock given a particular
key.
If sub is required, then this profile is limited in use to cases whe
There are use cases where the AS can be expected to know (and in fact needs to
know) which RSes a token will be used with, and use cases where there is value
in obscuring this fact. This spec should not be limited to only one or the
other. The work you suggest to support obscuring the RS identit
It’s certainly possible to conceive ATs without subs, but I think the
profile would be way less useful for SDK developers.
On the objections:
The sub doesn’t have to be a user, if you look at the earlier discussions
the case in which the token has been issued for an application via client
creds (he
“Ide rockers” is iPhone autocorrect jargon for “identifiers”, of course :P
On Mon, Apr 13, 2020 at 13:13 Vittorio Bertocci wrote:
> It’s certainly possible to conceive ATs without subs, but I think the
> profile would be way less useful for SDK developers.
> On the objections:
> The sub doesn’t
An SDK is going to support "sub" wether it is required or optional.
On Mon, Apr 13, 2020 at 1:40 PM Vittorio Bertocci
wrote:
> “Ide rockers” is iPhone autocorrect jargon for “identifiers”, of course :P
>
> On Mon, Apr 13, 2020 at 13:13 Vittorio Bertocci
> wrote:
>
>> It’s certainly possible t