IETF Logo Mail Archive

Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

"Phil Hunt (IDM)" <phil.hunt@oracle.com> Sun, 05 March 2017 00:55 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 416BC12948A for <id-event@ietfa.amsl.com>; Sat, 4 Mar 2017 16:55:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IsYEtntipHNx for <id-event@ietfa.amsl.com>; Sat, 4 Mar 2017 16:55:55 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD872129410 for <id-event@ietf.org>; Sat, 4 Mar 2017 16:55:55 -0800 (PST)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v250tsiw029803 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 5 Mar 2017 00:55:54 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v250tr8W003484 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 5 Mar 2017 00:55:54 GMT
Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v250trwt005737; Sun, 5 Mar 2017 00:55:53 GMT
Received: from [10.0.1.5] (/24.86.190.97) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sat, 04 Mar 2017 16:55:53 -0800
Content-Type: multipart/alternative; boundary="Apple-Mail-85969124-0DCB-405A-BF3C-AED102781AD2"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (14D27)
In-Reply-To: <7f44a710-0545-157c-b75e-d46853cf2e06@mit.edu>
Date: Sat, 04 Mar 2017 16:55:50 -0800
Content-Transfer-Encoding: 7bit
Message-Id: <4B014CCA-BCBE-4894-9F2F-17DA2541509A@oracle.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <7f44a710-0545-157c-b75e-d46853cf2e06@mit.edu>
To: Justin Richer <jricher@mit.edu>
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/HWV0D6b2NG5kiWdn-G-xWJAOTqY>
Cc: ID Events Mailing List <id-event@ietf.org>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Mar 2017 00:55:57 -0000

That seems unclear. 

Do you mean put subj ans issuer inside the payload regardless of whether the issuer of the event is the same or different from the subject?  That way it is always the same though it may be duplicative?

Phil

> On Mar 4, 2017, at 2:56 PM, Justin Richer <jricher@mit.edu> wrote:
> 
> 3:
> 
> Put "iss" and "sub" inside the event when they apply to the event, even if they're the same as the "iss" and "sub" of the event token itself. 
>  -- Justin
>> On 3/1/2017 1:27 PM, Phil Hunt wrote:
>> In the comments on idtoken-07, Yaron raised concerns around the confusion of “iss” of the subject of the event vs. issuer of the event.  The current text says that if there is a need to distinguish between “iss” of the “sub” vs. “iss” of the event, then the event should place the “iss” of the subject in the event payload area.
>> 
>> I agree this does seem awkward.
>> 
>> I have been thinking a related concern, that a SET could be confused as an access token if it has a “sub” value.  If we stop using “sub” then we’re potentially causing web access management systems to reject SETs as invalid access tokens — this is theoretically a GOOD THING.
>> 
>> PLEASE INDICATE 1 or 2, or provide additional discussion. 
>> 
>> Two options:
>> 
>> 1. Leave as is.
>> 
>> 2.  Create a new attribute object, “esub” (event subject) which is a JSON object that contains the attributes needed to identify the subject.  For example:
>> 
>> We currently have:
>>>    {
>>>      "jti": "fb4e75b5411e4e19b6c0fe87950f7749",
>>> 
>>>      "sub": "248289761001",
>>>      "iat": 1458496025,
>>>      "iss": "https://my.examplemed.com",
>>>      "aud": [
>>>        "https://rp.example.com"
>>>      ],
>>>      "events": {
>>>        "https://openid.net/heart/specs/consent.html":{
>>>          "iss":"https://connect.example.com",
>>>          "consentUri":[
>>>            "https://terms.examplemed.com/labdisclosure.html#Agree"
>>>          ]
>>>        }
>>>      }
>>>    }
>> 
>> Could be represented as:
>>    {
>>      "jti": "fb4e75b5411e4e19b6c0fe87950f7749",
>> 
>>      “esub": {
>>        “sub”:"248289761001”,
>>        "iss":"https://connect.example.com”
>>      }
>>      "iat": 1458496025,
>>      "iss": "https://my.examplemed.com",
>>      "aud": [
>>        "https://rp.example.com"
>>      ],
>>      "events": {
>>        "https://openid.net/heart/specs/consent.html":{
>>          "consentUri":[
>>            "https://terms.examplemed.com/labdisclosure.html#Agree"
>>          ]
>>        }
>>      }
>>    }
>> 
>> Comments:
>> * “sub” remains untouched in the sense that it retains the meaning used in traditional access tokens. 
>> * “esub” contains the full information to address the subject.  No need to look around for a second “iss” (which may or may not be there)
>> 
>> To do this would require defining “esub” and sub-attributes like, “iss”, “sub” (which follow current defs), and probably “uri” for those entities that are referenceable as a URI.  Examples of URI subjects:
>> *  in implicit federation (from RISC):   “uri”:”mailto:phil.hunt@yahoo.com”
>> *  in SCIM where resources have URIs:  “uri”:”https://scim.example.com/Users/44f6142df96bd6ab61e7521d9"
>> 
>> One catch. Profiling specs would not be able to define new ways of addressing subjects with esub.
>> 
>> Phil
>> 
>> Oracle Corporation, Identity Cloud Services & Identity Standards
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Id-event mailing list
>> Id-event@ietf.org
>> https://www.ietf.org/mailman/listinfo/id-event
>

v2.23.0 | Report a Bug | By Email