[Id-event] JWT claim name in draft-ietf-secevent-subject-identifiers?
Brian Campbell <bcampbell@pingidentity.com> Mon, 17 December 2018 21:54 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFC5612958B for <id-event@ietfa.amsl.com>; Mon, 17 Dec 2018 13:54:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ttGhoNtcZYWE for <id-event@ietfa.amsl.com>; Mon, 17 Dec 2018 13:54:56 -0800 (PST)
Received: from mail-it1-x135.google.com (mail-it1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74B8412426A for <id-event@ietf.org>; Mon, 17 Dec 2018 13:54:56 -0800 (PST)
Received: by mail-it1-x135.google.com with SMTP id z7so1201550iti.0 for <id-event@ietf.org>; Mon, 17 Dec 2018 13:54:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=mI+NGOsz7W3jIF8t9w1V9RrsO8oIacy8WWXQ7SGn4m4=; b=g6mFch+2l++1xSbWMqUYbiI3EIEb+MIXMIMG++gg58gNJZrUgwMxcyDV8qxRDvE+mp Epy5JPHYJOVENQ/wXI2YO+AXLdrSN7E4kz7VRk4IzIRaiDVMEUd4cJpyXEOwHlMQn/rT PyROOHD+DpqjyWqsY0ehGe1yJL4/vSthzq1Wo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=mI+NGOsz7W3jIF8t9w1V9RrsO8oIacy8WWXQ7SGn4m4=; b=ea7buoZjbRYuCUgfzL8gH+5RcagtTjZAhkm1hjqzt9d2nG0/l0bwpTo9iphDrjQw41 dV772IUE7YrwEd0alEaCSPe3CLtILXczsDoVGWV1LeiWh42IJeLktwzQodxJ9zyM9VKl nkoCtd/SrniOBaLyHG7MretBJ44q8S0KWJx9nSypPn4Zqgw8DQgecHTYj6S5t4xPxBGr EP3BRwN401jd6/aghcPKTkaX5tBwJjplqBDsHPi8dTuGNFNKsj8BZaLap4njd3uPBujb Tmcy5njFN1CJKrKEQlXyocHutJ61bB5OUiyQG1UDVBoiku8SHNHkP/KkUjV0UasHRRWh 3XJA==
X-Gm-Message-State: AA+aEWaAd5I737ZpU3GrmlowrmaziDAoUe5J+C7cXBZ9OoAys88bebu/ qoBDslHfIP9l0kZmkCOHnP7iUjHjqSEVQjj5A3wVKzRL3ddl5MNKWMURQpAeK2zdCpoxmoYMsgs D68HS+CEajrRK+J2J+83bikA=
X-Google-Smtp-Source: AFSGD/W1KlC0oQwpfr1j3eES6WaDDZnaMHrau829sB74Ic+XiVoCtMru13EtiZXOdqPuzsFc5VBsBJqb0XGSXVr+7HA=
X-Received: by 2002:a02:5f9d:: with SMTP id x29mr14346542jad.28.1545083695363; Mon, 17 Dec 2018 13:54:55 -0800 (PST)
MIME-Version: 1.0
References: <154032516905.31277.5973427150641917289@ietfa.amsl.com>
In-Reply-To: <154032516905.31277.5973427150641917289@ietfa.amsl.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 17 Dec 2018 14:54:29 -0700
Message-ID: <CA+k3eCR9QsfFzwd7DZXJdVk5gkb-L5BGaMA2WKdRgUFFZ+H3sw@mail.gmail.com>
To: ID Events Mailing List <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cfa04c057d3ed41e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/Xipj4J3umYa2EnGBU2Q0dUM-Xy8>
Subject: [Id-event] JWT claim name in draft-ietf-secevent-subject-identifiers?
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Dec 2018 21:54:59 -0000
During the meeting in Bangkok I asked about whether this document should define a JWT claim for subject identifier and said I'd followup on the list with the question. It took me a while to get to that but here it is. Some background behind the question is that I was working on some examples for the draft OpenID Connect Client Initiated Backchannel Authentication <https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html> specification and there was a place where a subject identifier in a JWT seemed like a good fit for one of the examples (where the calling client makes a request that has have some way of identifying the end-user and in a token is one such way). So I consulted draft-ietf-secevent-subject-identifiers-02 <https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers-02> to see how to do it and was somewhat surprised to find that there wasn't a JWT claim name defined to carry the subject identifier. I ended up using "subject" in the login_hint_token parameter at the end of https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_request because it seemed the closest thing to convention there was. But that left me wondering why draft-ietf-secevent-subject-identifiers-02 hadn't defined a claim and whether maybe it should. Or, if not, whether maybe a bit of explanation as to why not might be useful and/or some guidance to users of subject-identifiers or specifications using or profiling it about the need to agree on a claim name that will carry the subject identifier value. On Tue, Oct 23, 2018 at 2:06 PM <internet-drafts@ietf.org> wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Security Events WG of the IETF. > > Title : Subject Identifiers for Security Event Tokens > Authors : Annabelle Backman > Marius Scurtescu > Filename : draft-ietf-secevent-subject-identifiers-02.txt > Pages : 10 > Date : 2018-10-23 > > Abstract: > Security events communicated within Security Event Tokens may support > a variety of identifiers to identify the subject and/or other > principals related to the event. This specification formalizes the > notion of subject identifiers as named sets of well-defined claims > describing the subject, a mechanism for representing subject > identifiers within a [JSON] object such as a JSON Web Token [JWT] or > Security Event Token [SET], and a registry for defining and > allocating names for these claim sets. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-secevent-subject-identifiers/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-secevent-subject-identifiers-02 > > https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers-02 > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-ietf-secevent-subject-identifiers-02 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://www.ietf.org/mailman/listinfo/id-event > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [Id-event] I-D Action: draft-ietf-secevent-subjec… internet-drafts
- [Id-event] JWT claim name in draft-ietf-secevent-… Brian Campbell