[Ace] JWT + OAuth Request
Jim Schaad <ietf@augustcellars.com> Thu, 04 October 2018 01:47 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C10BB130DCE for <ace@ietfa.amsl.com>; Wed, 3 Oct 2018 18:47:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SszbpHrVFaNg for <ace@ietfa.amsl.com>; Wed, 3 Oct 2018 18:47:17 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C36EA128CFD for <ace@ietf.org>; Wed, 3 Oct 2018 18:47:16 -0700 (PDT)
Received: from Jude (192.168.0.11) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 3 Oct 2018 18:42:34 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: ace@ietf.org
Date: Wed, 03 Oct 2018 18:47:05 -0700
Message-ID: <037301d45b84$29065ac0$7b131040$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdRbYYy5r/jk7lNmRgqSO7oPvlNH+g==
Content-Language: en-us
X-Originating-IP: [192.168.0.11]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/mIGBB5_4UZkyV9Ziahk88g7E9EY>
Subject: [Ace] JWT + OAuth Request
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2018 01:47:19 -0000
The OAuth group discovered a problem with some the names of our new OAuth fields that was caused by the fact that they have an ID that is someplace between the IESG and the RFC Editor which introduced the concept of using a JWT to as the transport for an OAuth request. This allows for doing end-to-end security on the OAuth request in the event it needs to be forwarded to another authorizer. Due to the design decision that they made, this was done by included all of the OAuth request fields as JWT claims thus combining the two namespaces. Based on this we now need to make a decision on what to do with our COSE versions of this. From my point of view we have two different options: 1. Ignore the problem and hope it goes away. 2. Deal with the problem by combining the current CWT registry with the OAuth registry that is going to be created. Why option 1 might be acceptable: A. The reason that they are doing this is because they want to get an E2E solution for requests. We have this already to some degree with the OSCORE profile of OAuth and could easily go the rest of the way by creating a COSE profile which allowed for full COSE rather than the restricted version of OSCORE. There may be some unknown benefits to using a JWT for this purpose, but I would then want to ask two questions: Is this really something that is useful and important? If is really that important or useful, why is it not part of the base OAuth protocol? B. If a CWT version is this is really needed, perhaps we can get a different design to be used. Specifically, create two new CWT claims: "oauth_req", "oauth_resp" and then place the OAuth parameters in those fields and not make them CWT claims. I am sure that there would be complaints about this, but much as COSE fixed problems that it saw as being wrong, the WG could do the same thing. Jim
- [Ace] JWT + OAuth Request Jim Schaad
- Re: [Ace] JWT + OAuth Request Ludwig Seitz
- Re: [Ace] JWT + OAuth Request Michael Richardson
- Re: [Ace] JWT + OAuth Request Jim Schaad