Yeah, that makes sense and I don't necessarily think a change is needed. Responding to Pam's question was the first time I'd really considered that implicit restriction and was more thinking out loud than anything.<br>
<br>FWIW, I was thinking about it as the case where the client talks directly to the AS's Token Endpoint but might use an STS to get the JWT. My thinking is probably somewhat biased by the product I build but there are some situations where an STS holds all (most) of the key material and aggregates the trust with other organizations. <br>
<br><div class="gmail_quote">On Tue, Apr 3, 2012 at 9:50 AM, John Bradley <span dir="ltr"><<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">We are using the OAuth Assertion profile and JWT bearer token profile for Oauth.<div><a href="http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03" target="_blank">http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03</a></div>
<div><br></div><div>In the case where the JWT is self issued by the client the iss and prn are both the client.</div><div><br></div><div>You are correct that there may be cases where there is a intermediary in the general case of the Assertion profile. </div>
<div>I however have a hard time seeing that as a issue when the client is talking to the Token Endpoint directly, as is required by OAuth.</div><div><br></div><div>Anything like that is going to be extension territory. </div>
<div><br></div><div>I could probably live thigh the iss SHOULD contain the client_id of the OAuth Client. To allow for extension however I don't really want to start describing all of the possible acceptable permutations in the core specs.</div>
<div><br></div><div>It starts looking more like WS* if we go down that route. </div><div><br></div><div>I am inclined to levee it as it is currently and let an extension deal with the alternate scenarios.</div><div><br>
</div><div>John B.</div><div><div class="h5"><div><br></div><div><br></div><div><div><br></div><div><br><div><div>On 2012-04-03, at 8:59 AM, Brian Campbell wrote:</div><br><blockquote type="cite">I believe that what is there is correct or at least what was intended. "iss" is the issuer of of the JWT to be used for client authentication. In this case it's saying that such JWTs are self issued. Which makes sense and I think is what was intended (but don't know so someone please correct me, if I'm wrong).<br>
<br>Is it potentially too restrictive though? It would seem to presume that clients always have access to the keying material. That's likely the case most of the time but the text as written would seem to preclude a situation where a client might interact with an STS (that holds the key material) to obtain a JWT for client authentication. <br>
<br><br><div class="gmail_quote">On Mon, Apr 2, 2012 at 3:53 PM, Pam Dingle <span dir="ltr"><<a href="mailto:pdingle@pingidentity.com" target="_blank">pdingle@pingidentity.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>In section 2.2.1 of the Messages document (draft 08), in the Client Authentication section, the iss and the prn elements both have identical definitions, both containing the client_id of the OAuth Client. Shouldn't the issuer be the AS?</div>
<div><br></div><div>Here is the text:</div><div><br></div><div><br></div><div><dt style="font-family:verdana,charcoal,helvetica,arial,sans-serif">iss</dt><dd style="font-family:verdana,charcoal,helvetica,arial,sans-serif">
REQUIRED. The <tt style="color:rgb(0,51,102);font-family:'Courier New',Courier,monospace">iss</tt> (issuer) Claim. This MUST contain the <tt style="color:rgb(0,51,102);font-family:'Courier New',Courier,monospace">client_id</tt> of the OAuth Client.</dd>
<dt style="font-family:verdana,charcoal,helvetica,arial,sans-serif">prn</dt><dd style="font-family:verdana,charcoal,helvetica,arial,sans-serif">REQUIRED. The <tt style="color:rgb(0,51,102);font-family:'Courier New',Courier,monospace">prn</tt> (principal) Claim. This MUST contain the <tt style="color:rgb(0,51,102);font-family:'Courier New',Courier,monospace">client_id</tt> of the OAuth Client.</dd>
<dd style="font-family:verdana,charcoal,helvetica,arial,sans-serif"><br></dd><dd style="font-family:verdana,charcoal,helvetica,arial,sans-serif"><br></dd>
<dd style="font-family:verdana,charcoal,helvetica,arial,sans-serif"><br></dd><dd style="font-family:verdana,charcoal,helvetica,arial,sans-serif">Thanks, talk to you shortly.</dd>
<dd style="font-family:verdana,charcoal,helvetica,arial,sans-serif"><br></dd><dd style="font-family:verdana,charcoal,helvetica,arial,sans-serif"><br></dd>
</div>-- <br><span style="font-family:'Lucida Grande',Tahoma,Arial,Verdana,sans-serif;font-size:10px;color:rgb(42,42,42)"><font style="color:rgb(52,54,52);font-size:12px" face="Tahoma" color="#343634"><b><span>Pamela Dingle</span></b> | <span>Sr. Technical Architect</span></font><br>
<font style="font-size:11px" face="Arial"><font face="Tahoma" color="#343634"><b>Ping</b></font><font face="Tahoma" color="#E71939"><b>Identity</b></font> | <a href="http://www.pingidentity.com/" target="_blank">www.pingidentity.com</a><br>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br><font color="#005568"><b>O:</b></font> <font color="#343634"><span><a href="tel:303-999-5890" value="+13039995890" target="_blank">303-999-5890</a></span></font> <font color="#005568"><b>M:</b></font> <font color="#343634"><span><a href="tel:303-999-5890" value="+13039995890" target="_blank">303-999-5890</a></span></font><br>
<font color="#005568"><b>Email:</b></font> <span><a href="mailto:pdingle@pingidentity.com" target="_blank">pdingle@pingidentity.com</a></span><br>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<br>
<table cellpadding="0" cellspacing="0"><tbody><tr valign="top"><td nowrap><div style="float:left"><font style="font-size:11px" face="Arial"><font color="#005568"><b>Connect with Ping</b></font><br><font color="#000000">Twitter: @pingidentity</font><br>
<font color="#000000">LinkedIn Group: Ping's Identity Cloud</font> <br><font color="#000000"><a href="http://Facebook.com/pingidentitypage" target="_blank">Facebook.com/pingidentitypage</a></font></font></div></td>
<td nowrap><div style="margin-left:20px"><font style="font-size:11px" face="Arial"><font color="#005568"><b><span>Connect with me</span></b></font><br>
<font color="#000000"><span>Twitter: @pamelarosiedee</span></font><br><font color="#000000"><span></span></font></font></div></td></tr></tbody></table></font></span><br>
<br>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br>
_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div><br></div></div></div></div></div></blockquote></div><br>