search

WLCG-AuthZ-WG / common-jwt-profile

A repo for the WLCG Common JWT profile document
3 stars 8 forks source link

Use RFC 9068 for token version #25

Open hshort opened 1 year ago

hshort commented 1 year ago

Apparently RFC 9068 uses the standard JWT typ claim to identify the token version/type. It would be better to use this than our own "wlcg.ver" claim. This was raised by @jbasney

jbasney commented 1 year ago

To find the recommendations for the typ claim, I followed the references from https://www.rfc-editor.org/rfc/rfc9068.html#name-security-considerations to https://www.rfc-editor.org/rfc/rfc8725#section-2.8 to https://www.rfc-editor.org/rfc/rfc8725#section-3.11 (Use Explicit Typing).

maarten-litmaath commented 1 year ago

And after that one we only need to nudge the community towards a "grp" claim and we're done! 🙂

From: hshort @.> Sent: Monday, April 24, 2023 4:07 PM To: WLCG-AuthZ-WG/common-jwt-profile @.> Cc: Subscribed @.***> Subject: [WLCG-AuthZ-WG/common-jwt-profile] Use RFC 9068 for token version (Issue #25)

Apparently RFC 9068 uses the standard JWT typ claim to identify the token version/type. It would be better to use this than our own "wlcg.ver" claim. This was raised by @jbasneyhttps://github.com/jbasney

— Reply to this email directly, view it on GitHubhttps://github.com/WLCG-AuthZ-WG/common-jwt-profile/issues/25, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ADVMWCJDUZ3PYGIEH4YRRUDXC2CJVANCNFSM6AAAAAAXJUNHT4. You are receiving this because you are subscribed to this thread.Message ID: @.***>

msalle commented 1 year ago

better groups then: https://www.rfc-editor.org/rfc/rfc9068.html#section-2.2.3.1 But Brian has brought that up previously AFAIR

maarten-litmaath commented 1 year ago

The "groups" syntax in their example looks usable, AFAICS:

https://www.rfc-editor.org/rfc/rfc7643#section-8.2