xmlgrrl
commented
7 years ago Per UMA telecon 2017-07-13, the IANA request for the permissions claim should be removed, and a sentence in the Introduction should be edited. See the notes.
Closed xmlgrrl closed 7 years ago
xmlgrrl
commented
7 years ago Per UMA telecon 2017-07-13, the IANA request for the permissions claim should be removed, and a sentence in the Introduction should be edited. See the notes.
xmlgrrl
commented
7 years ago This issue relates to #330, which now would be closed without action because we won't be adding the registration request for permissions to be in the JWT registry at all.
Excerpting from the most recent response summarizing a conversation with @jricher and Designated Expert Brian Campbell for JWT claims registration (the following is all from Brian):
".... In order to register a JWT claim, the claim must be defined. And Federated Authorization for User-Managed Access (UMA) 2.0 only defines a "permissions" introspection response parameter. It doesn't define a "permissions" JWT claim.
"... [A] claim has to be explicitly defined in order to be registered.
"I believe that defining the claim sufficiently could be done fairly easily with something like a short new section that says that for self-contained JWT access tokens that are validated locally the "permissions" claim has the same syntax and semantics as the "permissions" introspection response parameter. Or something along those lines.
"But removing FedAuthz Sec 9.2 and rescinding the request is an option too.
"Justin does mention potential privacy and security considerations that come with use of JWT. Some discussion/consideration of those is likely warranted, if you do decide to define the claim and re-request registration. Although that's likely warranted anyway in general for self-contained tokens even if the structure isn't specifically defined."
Justin's earlier comment regarding privacy and security:
"The “permissions” structure was originally designed for token introspection and that’s where it’s set to fit. There hasn’t been a lot of work on the JWT-encoded version of this yet, and AFAIK no implementations. I think, as with other things that go inside a JWT, there could be privacy and security considerations that haven’t been fully rolled out yet. Perhaps it would be best to drop this registration and leave JWT-based federated connections to a separate, more thorough document?"
It appears this issue could be handled by a "mere" editorial change of dropping FedAuthz Sec 9.2, but talking about the substantive consequences seems like a good idea in any case, so I've left the editorial label off.
(This relates to issue #287.)