IETF Logo Mail Archive

Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

Phil Hunt <phil.hunt@oracle.com> Tue, 07 March 2017 16:14 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7614F1295E6 for <id-event@ietfa.amsl.com>; Tue, 7 Mar 2017 08:14:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.701
X-Spam-Level:
X-Spam-Status: No, score=-3.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id spA-FsQh29tl for <id-event@ietfa.amsl.com>; Tue, 7 Mar 2017 08:14:20 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FE251295CA for <id-event@ietf.org>; Tue, 7 Mar 2017 08:12:59 -0800 (PST)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v27GCw9M015062 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <id-event@ietf.org>; Tue, 7 Mar 2017 16:12:58 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v27GCvva016395 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <id-event@ietf.org>; Tue, 7 Mar 2017 16:12:58 GMT
Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by aserv0121.oracle.com (8.13.8/8.13.8) with ESMTP id v27GCtOL022282 for <id-event@ietf.org>; Tue, 7 Mar 2017 16:12:56 GMT
Received: from [10.0.1.30] (/24.86.190.97) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 07 Mar 2017 08:12:55 -0800
From: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E8C00C24-41CC-44C3-B276-6C2840F78947"
Message-Id: <C2BE4FD7-6090-49C7-88FD-CCBBBC40538C@oracle.com>
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Date: Tue, 07 Mar 2017 08:12:54 -0800
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <7f44a710-0545-157c-b75e-d46853cf2e06@mit.edu> <4B014CCA-BCBE-4894-9F2F-17DA2541509A@oracle.com> <1bbfcb1f-c554-3baf-e260-fbd475c803bb@mit.edu> <CY4PR21MB0504F24541054228A72FC93FF52F0@CY4PR21MB0504.namprd21.prod.outlook.com> <6e1e3988-43c7-5ac1-529d-4160ced6cc90@akamai.com> <2cd1b77c-ca3c-a773-4068-21da43509e8b@mit.edu>
To: ID Events Mailing List <id-event@ietf.org>
In-Reply-To: <2cd1b77c-ca3c-a773-4068-21da43509e8b@mit.edu>
X-Mailer: Apple Mail (2.3124)
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/Ge13WufxNMIjMqKqK8B5rRhqQkM>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 16:14:40 -0000

Just to refresh everyone...

As editor, my feeling is we have no *clean* or *simple* solution because we have to use “iss” to mean the issuer of the SET in order to comply with JWT and because OIDC conflates assertion issuer with subject issuer, it makes it difficult to uniquely identify a “sub” value because some events want to use “iss” for 2 purposes (to identify the event issuer vs. the subject issuer).

None of the solutions presented are actually easy to explain. So far, I’ve sided with Mike and William because they feel it is close enough and it was editorially lazy (say nothing). I am worried that this is actually complex for developers who do not know the history of how JWTs emerged.

Let’s look at the examples we already have. Notice that in the current draft, there are 3 separate ways of expressing the subject of an event….

Scenario 1, the event issuer and subject issuer are the same:

   {
      "iss": "https://server.example.com",
      "sub": "248289761001",
      "aud": "s6BhdRkqt3",
      "iat": 1471566154,
      "jti": "bWJq",
      "sid": "08a5019c-17e1-4977-8f42-65a12843ea02",
      "events": {
        "http://schemas.openid.net/event/backchannel-logout": {}
      }
   }

Scenario 2, a relying party is issuing an event, event iss and sub iss are different and thus there are repeat iss values:

   {
     "jti": "fb4e75b5411e4e19b6c0fe87950f7749",

     "sub": "248289761001",
     "iat": 1458496025,
     "iss": "https://my.examplemed.com",
     "aud": [
       "https://rp.example.com"
     ],
     "events": {
       "https://openid.net/heart/specs/consent.html":{
         "iss":"https://connect.example.com",
         "consentUri":[
           "https://terms.examplemed.com/labdisclosure.html#Agree"
         ]
       }
     }
   }

Scenario  3:  sub is universally unique:

   {
     "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
     "iat": 1458496025,
     "iss": "https://scim.example.com",
     "aud": [
       "https://jhub.example.com/Feeds/98d52461fa5bbc879593b7754",
       "https://jhub.example.com/Feeds/5d7604516b1d08641d7676ee7"
     ],
     "sub": "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9",
     "events": {
       "urn:ietf:params:scim:event:passwordReset":
         { "id":"44f6142df96bd6ab61e7521d9"},
       "https://example.com/scim/event/passwordResetExt":
         { "resetAttempts":5}
     }
   }

I believe the current argument is that profiling specs explains how their events are to be parsed. This means for multi-event parsers, subject is inconsistent and potentially not mappable.  The BackChannel Logout event is currently structured for only the OP to issue. However Oracle wants that to be bi-directional so that web sites can notify the IDP/OP that the user has logged out of a specific web site.  If that happens, BackChannel logout will have methods 1 and 2 required.

Would it be possible for events to require that “sub” be globally unique — e.g. expressed as a url.  For example, in order for backchannel to be issued by an OP or an RP, it would be expressed with sub as a URL ("sub": “https://server.example.com/248289761001”,):
   {
      "iss": "https://www.exampleapp.com",
      "sub": “https://server.example.com/248289761001",
      "aud": "s6BhdRkqt3",
      "iat": 1471566154,
      "jti": "bWJq",
      "sid": "08a5019c-17e1-4977-8f42-65a12843ea02",
      "events": {
        "http://schemas.openid.net/event/backchannel-logout": {}
      }
 
At least this way iss is never duplicated and sub is always the addressable subject of the event regardless of the type of event.  That would enable all 3 cases to be expressed one way for all specs.  That seems simple to me (at least from how I would define this in the spec).  

I had thought Justin was advocating a 4th option which is to always embed “sub” and “iss” in the event payload.  So you would end up with something like:
   {
     "jti": "fb4e75b5411e4e19b6c0fe87950f7749",
     "iat": 1458496025,
     "iss": "https://my.examplemed.com",
     "aud": [
       "https://rp.example.com"
     ],
     "events": {
       "https://openid.net/heart/specs/consent.html":{
         "sub": "248289761001",
         "iss":"https://my.examplemed.com",
         "consentUri":[
           "https://terms.examplemed.com/labdisclosure.html#Agree"
         ]
       }
     }
   }

Note that in the above example, “iss” would always be present even if “iss” is the *same*.  The rule would be that the iss and sub are in the payload and that addresses the subject of the event. The envelope level is always reserved for event validation and addressing only.  While some would argue this is ugly, I can see some merits as it is at least consistent.


Phil

Oracle Corporation, Identity Cloud Services & Identity Standards
@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>







> On Mar 7, 2017, at 7:26 AM, Justin Richer <jricher@mit.edu> wrote:
> 
> +1
> 
> 
> On 3/6/2017 7:55 PM, Benjamin Kaduk wrote:
>> On 03/06/2017 06:39 PM, Mike Jones wrote:
>>> Justin, I suspect you didn’t see my earlier reply to Phil’s note that you also replied to, so I’m repeating it here and sending it to you directly.  (It wouldn’t be the first time that DMARC policies caused some of my contributions to be not received by some participants. :-( )
>>>  
>>> Agreed that this is unclear.  Duplicating information in a protocol *always* introduces an unnecessary error case – the need to define how to handle the situation in which two pieces of information that are required to be identical are different.  Information in a SET should occur at most once.
>>> 
>> 
>> That seems a dangerous road to tread, as it requires care in defining "information" -- duplicating the same data strings at different levels of the hierarchy of a JSON object may very well not be duplicating information, due to the extra context provided by the hierarchy.  In my mind, it's not a clear case that you should never send the same name/value multiple times in different parts of an object, as sometimes it is good to keep the semantic separation clear.
>> 
>> -Ben
> 
>

v2.23.0 | Report a Bug | By Email