Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
William Denniss <wdenniss@google.com> Wed, 01 March 2017 19:21 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5AD21297F3 for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 11:21:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fMRRUBXTuEjm for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 11:21:06 -0800 (PST)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29A78129561 for <id-event@ietf.org>; Wed, 1 Mar 2017 11:21:06 -0800 (PST)
Received: by mail-qk0-x235.google.com with SMTP id n186so84429518qkb.3 for <id-event@ietf.org>; Wed, 01 Mar 2017 11:21:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8w34vZDOzYBA+AcxAJ2RZ8cPkz8bbNwpmCGkVjVTjzs=; b=QYs2unFkE9sV7kky3nuOQIIDXBf/cuKTiOvmN7Tg+7pFhlcCuFzbqtFoQiBaM0yewg A/eCrXBdhbD4QnPRAVgyBS83zBbf1Q4RuZRoV+F8e7gOQ6qI3nzrzbVOiRKs4th3AWhO THjw0ng2hirYGfSkUkcXQyNIaP90zAL+AR2rmofqtT1OGA9KezTE4HsHR/HCLXDxC7ye RX9KwySOUQ1pY69ibDeQKt+oCGYZB/mRkWY53PrHpIfeSFHrO6nSNblLyxDJrZBdKv83 CwoArQ6ZJA51qnnH/RCh8BPm/IBN5LFK5JLiWG2QXvbMfmBmA1bEMNJlieDqHksbR9pl /d/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=8w34vZDOzYBA+AcxAJ2RZ8cPkz8bbNwpmCGkVjVTjzs=; b=jgVvo6VrLY3PPuWCJnDtxOBYoiMYxCz/ZuSRRAmh/Y+3V3NB8UeXIhod9gM246w3GD UfPhIoQ//MYyXXELAyIEMDl6jqlAKurHgCuJjOgrUj5vAOpE8z0Wce3+9K8LDo0nv6Js 67CHxnMFti7sgwQDFU8irC7i5ws538R15YrgaHODUS6kX+SFU2SwHg6UOO/xEDYtJ49J B4DY0EOWmEchZ55huYe7CI+e7ZPfhE/wY4YmckV8EUs8ebAr6RndLN/QCXhR7XRG1GJr pqqYX1sgSex5CGFQ6Dv+6oao44bgRgkGMchu1mIS3neWYT4xFXmzQ/1k5T4bflKg1Aft xphw==
X-Gm-Message-State: AMke39kNmC/rE9N3bNifzl55+Z8AAifgfInpzyIzVXK/CMxO9/oEFIVWcMiFv5KKX3lG9tf12QCddFNWoAALv7l0
X-Received: by 10.200.35.36 with SMTP id a33mr12128479qta.216.1488396064849; Wed, 01 Mar 2017 11:21:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Wed, 1 Mar 2017 11:20:44 -0800 (PST)
In-Reply-To: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 01 Mar 2017 11:20:44 -0800
Message-ID: <CAAP42hAPZOHn-37wYrOy7OcvNuqWdXtSSMHxb_AoW7kXeAy4wA@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>, Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a113a7db8bb67370549b036f2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/SeFZ7F71Wnnj7I_jwDX-azALGQs>
Cc: ID Events Mailing List <id-event@ietf.org>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 19:21:08 -0000
My vote is for #1. Iss and sub should take the definition from JWT. I fear that following the "access token confusion mitigation" logic here basically means that "sub" can only be used by authorization & authentication protocols which is wasn't the intent of the spec <https://tools.ietf.org/html/rfc7519#section-4.1>. What is the point of these standard claims if we can't use them? Will every new spec prohibit/rename a different standard claim? This isn't scalable, and is super confusing. Back-channel logout "breaks" the id token mix-up by prohibiting <https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken> 'nonce'. When I spoke to Breno about the overall risk, he suggested not reusing "aud" in other systems (like RISC, SCIM, etc). OpenID Connect defines "aud" to be the client-id. If *every other spec* uses a URI-based approach for aud and recommends not re-using audience URIs between systems, then we can avoid conflicts and usage mix-ups. If I recall correctly in Buenos Aires, the preference of +Mike was to keep "sub" for compatibility with Backchannel Logout. I hope we can avoid going around in circles on this security topic, how about I propose some new text for https://tools.ietf.org/html/draft-ietf-secevent-token-00#section-3.5 capturing the "aud" suggestion? We can confine all such "access token confusion" matters to that section, and just build the best SET spec we can without needing to bake in hacks. Mandating that different systems use non-overlapping "aud" sets doesn't not sound like a hack to me at all (unlike renaming "sub"), since the audience of a SET stream is surely different to that of an AuthZ/N token. On Wed, Mar 1, 2017 at 10:27 AM, Phil Hunt <phil.hunt@oracle.com> wrote: > In the comments on idtoken-07, Yaron raised concerns around the confusion > of “iss” of the subject of the event vs. issuer of the event. The current > text says that if there is a need to distinguish between “iss” of the “sub” > vs. “iss” of the event, then the event should place the “iss” of the > subject in the event payload area. > > I agree this does seem awkward. > > I have been thinking a related concern, that a SET could be confused as an > access token if it has a “sub” value. If we stop using “sub” then we’re > potentially causing web access management systems to reject SETs as invalid > access tokens — this is theoretically a GOOD THING. > > PLEASE INDICATE 1 or 2, or provide additional discussion. > > Two options: > > 1. Leave as is. > > 2. Create a new attribute object, “esub” (event subject) which is a JSON > object that contains the attributes needed to identify the subject. For > example: > > We currently have: > > { > "jti": "fb4e75b5411e4e19b6c0fe87950f7749", > > "sub": "248289761001", > "iat": 1458496025, > "iss": "https://my.examplemed.com", > "aud": [ > "https://rp.example.com" > ], > "events": { > "https://openid.net/heart/specs/consent.html":{ > "iss":"https://connect.example.com", > "consentUri":[ > "https://terms.examplemed.com/labdisclosure.html#Agree" > ] > } > } > } > > > Could be represented as: > > { > "jti": "fb4e75b5411e4e19b6c0fe87950f7749", > > “esub": { > > “sub”:"248289761001”, > > "iss":"https://connect.example.com” > > } > > "iat": 1458496025, "iss": "https://my.examplemed.com", "aud": [ " > https://rp.example.com" ], "events": { "https://openid.net/heart/ > specs/consent.html":{ "consentUri":[ "https://terms.examplemed.com/ > labdisclosure.html#Agree" ] } } } > > > Comments: > * “sub” remains untouched in the sense that it retains the meaning used in > traditional access tokens. > * “esub” contains the full information to address the subject. No need to > look around for a second “iss” (which may or may not be there) > > To do this would require defining “esub” and sub-attributes like, “iss”, > “sub” (which follow current defs), and probably “uri” for those entities > that are referenceable as a URI. Examples of URI subjects: > * in implicit federation (from RISC): “uri”:”mailto:phil.hunt@yahoo.com > <phil.hunt@yahoo.com>” > * in SCIM where resources have URIs: “uri”:”https://scim.example. > com/Users/44f6142df96bd6ab61e7521d9" > > One catch. Profiling specs would not be able to define new ways of > addressing subjects with esub. > > Phil > > Oracle Corporation, Identity Cloud Services & Identity Standards > @independentid > www.independentid.com > phil.hunt@oracle.com > > > > > > > > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://www.ietf.org/mailman/listinfo/id-event > >
- [Id-event] Thread: Clarifying use of sub and iss … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Brian Campbell
- [Id-event] Making SETs distinct as JWTs (was: Re:… Phil Hunt
- Re: [Id-event] Making SETs distinct as JWTs (was:… Phil Hunt
- Re: [Id-event] Making SETs distinct as JWTs (was:… Marius Scurtescu
- Re: [Id-event] Making SETs distinct as JWTs (was:… Mike Jones
- Re: [Id-event] Making SETs distinct as JWTs (was:… Marius Scurtescu
- Re: [Id-event] Making SETs distinct as JWTs (was:… Brian Campbell
- Re: [Id-event] Making SETs distinct as JWTs Benjamin Kaduk
- Re: [Id-event] Making SETs distinct as JWTs (was:… Vivek Biswas
- Re: [Id-event] Making SETs distinct as JWTs (was:… Brian Campbell
- Re: [Id-event] Making SETs distinct as JWTs (was:… Phil Hunt (IDM)
- Re: [Id-event] Making SETs distinct as JWTs (was:… Mike Jones
- Re: [Id-event] Making SETs distinct as JWTs (was:… Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Justin Richer
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Justin Richer
- Re: [Id-event] Making SETs distinct as JWTs Yaron Sheffer
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Justin Richer
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones