[Ace] JWT + OAuth Request

Jim Schaad <ietf@augustcellars.com> Thu, 04 October 2018 01:47 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C10BB130DCE for <ace@ietfa.amsl.com>; Wed, 3 Oct 2018 18:47:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SszbpHrVFaNg for <ace@ietfa.amsl.com>; Wed, 3 Oct 2018 18:47:17 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C36EA128CFD for <ace@ietf.org>; Wed, 3 Oct 2018 18:47:16 -0700 (PDT)
Received: from Jude (192.168.0.11) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 3 Oct 2018 18:42:34 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: ace@ietf.org
Date: Wed, 03 Oct 2018 18:47:05 -0700
Message-ID: <037301d45b84$29065ac0$7b131040$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdRbYYy5r/jk7lNmRgqSO7oPvlNH+g==
Content-Language: en-us
X-Originating-IP: [192.168.0.11]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/mIGBB5_4UZkyV9Ziahk88g7E9EY>
Subject: [Ace] JWT + OAuth Request
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2018 01:47:19 -0000

The OAuth group discovered a problem with some the names of our new OAuth
fields that was caused by the fact that they have an ID that is someplace
between the IESG and the RFC Editor which introduced the concept of using a
JWT to as the transport for an OAuth request.  This allows for doing
end-to-end security on the OAuth request in the event it needs to be
forwarded to another authorizer.  Due to the design decision that they made,
this was done by included all of the OAuth request fields as JWT claims thus
combining the two namespaces.  Based on this we now need to make a decision
on what to do with our COSE versions of this.  From my point of view we have
two different options:

1.  Ignore the problem and hope it goes away.
2.  Deal with the problem by combining the current CWT registry with the
OAuth registry that is going to be created.

Why option 1 might be acceptable:

A.  The reason that they are doing this is because they want to get an E2E
solution for requests.  We have this already to some degree with the OSCORE
profile of OAuth and could easily go the rest of the way by creating a COSE
profile which allowed for full COSE rather than the restricted version of
OSCORE.   There may be some unknown benefits to using a JWT for this
purpose, but I would then want to ask two questions:  Is this really
something that is useful and important? If is really that important or
useful, why is it not part of the base OAuth protocol?

B. If a CWT version is this is really needed, perhaps we can get a different
design to be used.  Specifically, create two new CWT claims: "oauth_req",
"oauth_resp" and then place the OAuth parameters in those fields and not
make them CWT claims.  I am sure that there would be complaints about this,
but much as COSE fixed problems that it saw as being wrong, the WG could do
the same thing.

Jim