IETF Logo Mail Archive

Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

Mike Jones <Michael.Jones@microsoft.com> Wed, 01 March 2017 19:47 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93DB51298D0 for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 11:47:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RbUfBWLssDU4 for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 11:47:56 -0800 (PST)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0120.outbound.protection.outlook.com [104.47.33.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72CDE129686 for <id-event@ietf.org>; Wed, 1 Mar 2017 11:47:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=EkzygMt2c3OXoVMOXWk2HMH2961ffoxxpKTVhNC+DJI=; b=ay0mua+RfqFoSaTP1+uCJXqfQCpISuQYp86Mg3uaGzDYxDhQey2fp97H7d6pqkjwHNaKahag4rdlwdNKXKomz7PxaFFVSrm/lDUg5f97ABVjDRiF5MGen3EFDYDLbu345YNQga00oGF5yT6zGNC9IJJs/KYr41U3d4PPvFDdb5k=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0503.namprd21.prod.outlook.com (10.172.122.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Wed, 1 Mar 2017 19:47:53 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.007; Wed, 1 Mar 2017 19:47:53 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Phil Hunt <phil.hunt@oracle.com>, William Denniss <wdenniss@google.com>
Thread-Topic: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
Thread-Index: AQHSkrmW5tqPJIY8NEisvT0PLETCCaGAXGUAgAAEroCAAAB04A==
Date: Wed, 01 Mar 2017 19:47:52 +0000
Message-ID: <CY4PR21MB05046199373561CBFF5F53CBF5290@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <CAAP42hAPZOHn-37wYrOy7OcvNuqWdXtSSMHxb_AoW7kXeAy4wA@mail.gmail.com> <EBD62E0D-3D12-4785-8421-7D92035DE5F5@oracle.com>
In-Reply-To: <EBD62E0D-3D12-4785-8421-7D92035DE5F5@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: oracle.com; dkim=none (message not signed) header.d=none;oracle.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:e::36]
x-ms-office365-filtering-correlation-id: a3baed5d-44b3-46a6-6356-08d460dbd98f
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0503;
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0503; 7:QhgS2PxVKTtAR3aq6TKBCwSfE2xgvxzZe3Lg3FzYAOyt2tzwCNeCZcfEXgdvo59lTM8iRMhc/Wo8e/oFd74QVrozoMwzEge79y7y9pRnTMDqIbddmcSPm4AfgmD1rh1HPq6/XJVEji9gLpf/0qOXDGpqkRc8qBTqbl1bLCZTjxcwk6QO0ICkUB+zdovqwCsXPZW9y1BRVYuvecy2d9k2277ubCAqfPS1mgtUlkL6YR5ewc0ML8waiq6IzzoESkPcrCIZH4tKpIaTEuQst0JScY5mqd15NT3ZrFt7w5L6+oVoLzWgbn2LYIlgecnl8O0orfC1xQ76QOGk9uaUUC6qLoJwp8uyLVE1vQa5NWMEqLs=
x-microsoft-antispam-prvs: <CY4PR21MB0503C364E0B3CC52FD2FFA04F5290@CY4PR21MB0503.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(211936372134217)(21748063052155)(21532816269658)(146099531331640)(201166117486090);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123564025)(20161123558025)(20161123555025)(20161123562025)(20161123560025)(6072148); SRVR:CY4PR21MB0503; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0503;
x-forefront-prvs: 0233768B38
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39450400003)(39840400002)(39410400002)(39850400002)(39860400002)(377454003)(24454002)(55016002)(3660700001)(2906002)(10090500001)(8676002)(19609705001)(189998001)(8936002)(77096006)(99286003)(6306002)(54896002)(229853002)(33656002)(3280700002)(1680700002)(561944003)(8990500004)(122556002)(7696004)(10290500002)(5005710100001)(92566002)(54356999)(74316002)(25786008)(7736002)(50986999)(76176999)(6506006)(7906003)(38730400002)(81166006)(4326008)(6246003)(5660300001)(53386004)(6436002)(2950100002)(86362001)(53936002)(9686003)(106116001)(86612001)(575784001)(6116002)(236005)(53546006)(2900100001)(790700001)(102836003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0503; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB05046199373561CBFF5F53CBF5290CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2017 19:47:52.8148 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0503
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/3mfZli60UkL9Y-BEX_Rw8YrOh_g>
Cc: ID Events Mailing List <id-event@ietf.org>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 19:47:58 -0000

In many of the cases, the issuer of the SET will be the same as the issuer of the subject of the event, since it’s the issuer that’s authoritative for both in most cases.  Only in the case that the party issuing the event is different from the party that the event is about (which I think will be a less common case) will it be necessary to have a second issuer.  And in that case, we already have syntax for that second issuer – which becomes a parameter to the event.

The way that “iss” and “sub” are bound together syntactically is that they’re members of the same JSON object.  If you want to have a second issuer and subject, they would also be members of a JSON object – in that case, the JSON object for the event parameters.

As I wrote in the (now forked) response to William, we should steer clear of requiring people to use claims in unnatural ways.  For instance, “aud” (audience) restrictions would violate this principle.

Given that OpenID Connect Core the use of “nonce” in ID Tokens, I think it’s sufficient for OpenID Connect Back-Channel Logout to prohibit its use in Logout Tokens.  Both are OpenID-specific.  I don’t think we need to say anything in the SET spec about OpenID-specific claims.

                                                                -- Mike

From: Phil Hunt [mailto:phil.hunt@oracle.com]
Sent: Wednesday, March 1, 2017 11:37 AM
To: William Denniss <wdenniss@google.com>
Cc: Mike Jones <Michael.Jones@microsoft.com>; ID Events Mailing List <id-event@ietf.org>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

+1  I like the idea of prohibiting ‘nonce”.  Would be great to have a proposal for the “aud” text.

I’m neutral on this stuff. In proposing 2, I was responding to the awkwardness that Yaron pointed. I was trying to think of something that cleanly separates SET use of subject from the way access tokens use it. I wanted to bind together the “iss” and “sub” as they often go together. I’m not a fan of having “iss” colliding with the issuer of the SET….I wish there was a better way to keep “sub” and “iss” closer together.

Phil

Oracle Corporation, Identity Cloud Services & Identity Standards
@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>






On Mar 1, 2017, at 11:20 AM, William Denniss <wdenniss@google.com<mailto:wdenniss@google.com>> wrote:

My vote is for #1.  Iss and sub should take the definition from JWT.

I fear that following the "access token confusion mitigation" logic here basically means that "sub" can only be used by authorization & authentication protocols which is wasn't the intent of the spec<https://tools.ietf.org/html/rfc7519#section-4.1>.  What is the point of these standard claims if we can't use them? Will every new spec prohibit/rename a different standard claim? This isn't scalable, and is super confusing.

Back-channel logout "breaks" the id token mix-up by prohibiting<https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken> 'nonce'.  When I spoke to Breno about the overall risk, he suggested not reusing "aud" in other systems (like RISC, SCIM, etc). OpenID Connect defines "aud" to be the client-id. If *every other spec* uses a URI-based approach for aud and recommends not re-using audience URIs between systems, then we can avoid conflicts and usage mix-ups.

If I recall correctly in Buenos Aires, the preference of +Mike was to keep "sub" for compatibility with Backchannel Logout.

I hope we can avoid going around in circles on this security topic, how about I propose some new text for https://tools.ietf.org/html/draft-ietf-secevent-token-00#section-3.5 capturing the "aud" suggestion?  We can confine all such "access token confusion" matters to that section, and just build the best SET spec we can without needing to bake in hacks.

Mandating that different systems use non-overlapping "aud" sets doesn't not sound like a hack to me at all (unlike renaming "sub"), since the audience of a SET stream is surely different to that of an AuthZ/N token.



On Wed, Mar 1, 2017 at 10:27 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:
In the comments on idtoken-07, Yaron raised concerns around the confusion of “iss” of the subject of the event vs. issuer of the event.  The current text says that if there is a need to distinguish between “iss” of the “sub” vs. “iss” of the event, then the event should place the “iss” of the subject in the event payload area.

I agree this does seem awkward.

I have been thinking a related concern, that a SET could be confused as an access token if it has a “sub” value.  If we stop using “sub” then we’re potentially causing web access management systems to reject SETs as invalid access tokens — this is theoretically a GOOD THING.

PLEASE INDICATE 1 or 2, or provide additional discussion.

Two options:

1. Leave as is.

2.  Create a new attribute object, “esub” (event subject) which is a JSON object that contains the attributes needed to identify the subject.  For example:

We currently have:

   {

     "jti": "fb4e75b5411e4e19b6c0fe87950f7749",



     "sub": "248289761001",

     "iat": 1458496025,

     "iss": "https://my.examplemed.com<https://my.examplemed.com/>",

     "aud": [

       "https://rp.example.com<https://rp.example.com/>"

     ],

     "events": {

       "https://openid.net/heart/specs/consent.html":{

         "iss":"https://connect.example.com<https://connect.example.com/>",

         "consentUri":[

           "https://terms.examplemed.com/labdisclosure.html#Agree"

         ]

       }

     }

   }

Could be represented as:

   {

     "jti": "fb4e75b5411e4e19b6c0fe87950f7749",



     “esub": {

       “sub”:"248289761001”,

       "iss":"https://connect.example.com<https://connect.example.com/>”

     }

     "iat": 1458496025,

     "iss": "https://my.examplemed.com<https://my.examplemed.com/>",

     "aud": [

       "https://rp.example.com<https://rp.example.com/>"

     ],

     "events": {

       "https://openid.net/heart/specs/consent.html":{

         "consentUri":[

           "https://terms.examplemed.com/labdisclosure.html#Agree"

         ]

       }

     }

   }

Comments:
* “sub” remains untouched in the sense that it retains the meaning used in traditional access tokens.
* “esub” contains the full information to address the subject.  No need to look around for a second “iss” (which may or may not be there)

To do this would require defining “esub” and sub-attributes like, “iss”, “sub” (which follow current defs), and probably “uri” for those entities that are referenceable as a URI.  Examples of URI subjects:
*  in implicit federation (from RISC):   “uri”:”mailto:phil.hunt@yahoo.com”
*  in SCIM where resources have URIs:  “uri”:”https://scim.example.com/Users/44f6142df96bd6ab61e7521d9"

One catch. Profiling specs would not be able to define new ways of addressing subjects with esub.

Phil

Oracle Corporation, Identity Cloud Services & Identity Standards
@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>







_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event

_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event

v2.23.0 | Report a Bug | By Email