Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
William Denniss <wdenniss@google.com> Wed, 01 March 2017 20:13 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BB2F129690 for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 12:13:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lAMWWojhAczv for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 12:13:02 -0800 (PST)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B06C12968C for <id-event@ietf.org>; Wed, 1 Mar 2017 12:13:02 -0800 (PST)
Received: by mail-qk0-x233.google.com with SMTP id n186so86880780qkb.3 for <id-event@ietf.org>; Wed, 01 Mar 2017 12:13:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9a4cgE0cNbuQFx3B/dvWun054drsKOyHtyaVtrSgNsA=; b=pkie2ISVpsbLJ5S+FcKiUOfgM9b/YUCju3J6kHoQoiVzNzWiArjptLT0BKHu+QueZn V4MRSkRGjVB/Tr/ac9+ogyJ0T5c/5S99U2U8h9cPOMwl/C4YGPzYB2K8i4nxUSK0xWb5 /GTxZ3Xs6nfEQ+R4xPql29WX/7ooDKF4MUkllyZNH6RHk6HCZY3+qQM+R75r1xKoQ72z rq4cY/7Fjm6NbLa6PscAHnS9aY+gaRB2zMBZexN+wQVDdUemEQutd44kYgav0ampCBhj sjHf8AsxBmy6c+Ywb8jxz3rpDP4ILlmSLuX4ZqwyV1n42U8LrvgZd8is+evnwdFSk40J bvrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9a4cgE0cNbuQFx3B/dvWun054drsKOyHtyaVtrSgNsA=; b=lozjVCFja0rhxsn1ce6P82P9Ap/syqMz/1baircIeQDAnoSbPg8osTbh6G8G/0XEJe KTUpwl5qC/BSHAiMz3QGqvyAjxqkxuU5EYNcmUCWuH9jFHjjcsJ6pew97TfPnRqrIGK8 ssQOEF6grdB2F/gX40xbuljbGo5BhNgO8BqfR6n1Grx+9huLk6rox2feYIfwOw29yQqv QkwVyw5IObK2tkV8mhsFYVUqjhWUoPr1HbQeEJfP4HBxwatcxCkRc8IYiHMvNkB7617P QE36IsNSbPjd8L8uEMEhOtDAwq5eEi07Fnv/rz6shzhWWl30VqY35P+fkQDh/r+gqem9 197w==
X-Gm-Message-State: AMke39lni09BR6tFKIWmLoq1kVb+iCK3arHEagslJC6Tdhtvi+3DDRgoBn7waYqYPqRhA0sNJz14hf9XYqsFT41z
X-Received: by 10.55.181.1 with SMTP id e1mr12860528qkf.122.1488399181031; Wed, 01 Mar 2017 12:13:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Wed, 1 Mar 2017 12:12:40 -0800 (PST)
In-Reply-To: <CY4PR21MB05047835E14B3D375C0538F6F5290@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <CAAP42hAPZOHn-37wYrOy7OcvNuqWdXtSSMHxb_AoW7kXeAy4wA@mail.gmail.com> <CY4PR21MB050423CEEA9AB0CC64F0973FF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hD8FbZSKWiorKSZHqiidak4Gf071xKTD2d9EvZa13mt5g@mail.gmail.com> <CY4PR21MB05047835E14B3D375C0538F6F5290@CY4PR21MB0504.namprd21.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 01 Mar 2017 12:12:40 -0800
Message-ID: <CAAP42hB63GC9=7nqiayjnD9i5RG7Yu7CJVCtDZpNWTgLMrDJ8w@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="94eb2c06c64278b8880549b0f034"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/YXPAw3OBAgqbP2UT04s3lUeDxmw>
Cc: ID Events Mailing List <id-event@ietf.org>, Phil Hunt <phil.hunt@oracle.com>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 20:13:04 -0000
Seems to me that if you're using iss/aud in Connect you should be careful in using that same iss/aud combination outside Connect. What if the guidance is not an outright prohibition, but a security consideration to "be careful", with a suggested mitigation (being not to re-use iss/aud tuples outside of Connect). On Wed, Mar 1, 2017 at 12:09 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > I suspect that lots of non-OpenID-Connect OAuth 2.0 use cases also use the > Client ID as the Audience value, especially since some OAuth clients don’t > even have a URL associated with them. Trying to prohibit the use of Client > IDs as audiences will likely break things that we’re not even aware of. > > > > *From:* William Denniss [mailto:wdenniss@google.com] > *Sent:* Wednesday, March 1, 2017 12:06 PM > *To:* Mike Jones <Michael.Jones@microsoft.com> > *Cc:* Phil Hunt <phil.hunt@oracle.com>; ID Events Mailing List < > id-event@ietf.org> > > *Subject:* Re: [Id-event] Thread: Clarifying use of sub and iss in SET > tokens > > > > > > > > On Wed, Mar 1, 2017 at 11:33 AM, Mike Jones <Michael.Jones@microsoft.com> > wrote: > > Hi William, > > > > I appreciate you supporting using the standard definitions for “sub” and > “iss”. That said, I then find it confusing that you are suggesting that > people be prohibited from using “aud” (audience) in the standard way. > > > > I’ll also note that if you prohibit using “aud” in the standard way, > you’ll both break the usage in the OpenID Connect Logout Token > http://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken > and in SETs https://tools.ietf.org/html/draft-ietf-secevent-token-00# > section-2.1. Please let’s not go there. > > > > I'm not suggesting an outright prohibition on "aud" being the client id, I > realise my words were a little inarticulate. > > > > I see "aud as client id" as the domain of OpenID Connect (since that's > where that usage of "aud" was defined). I completely understand why Connect > Logout uses "aud as client id" and would expect other Connect specs to do > so – but these specs understand Connect and can be written to avoid > problems (as Logout does). > > > > My guidence would be that a *non*-Connect specs should use "aud as URI" > (basically just !"aud as client id") to avoid accidently causing problems > for Connect. > > > > When constrained that way, what do you think of the guidance? > > > > Implementations using both ID Tokens and SETs can already unambiguously > distinguish between them by the presence of the “events” claim. ID Tokens > don’t use “events” whereas SETs do. The fact that “nonce” is present in an > ID Token but not SETs provides an extra means of rejecting SETs in ID Token > contexts. I don’t see there as being any actual practical problem to solve > that rises to the level of causing us to do unnatural things to claims > usage. > > > > +1 > > > > > > -- Mike > > > > *From:* William Denniss [mailto:wdenniss@google.com] > *Sent:* Wednesday, March 1, 2017 11:21 AM > *To:* Phil Hunt <phil.hunt@oracle.com>; Mike Jones < > Michael.Jones@microsoft.com> > *Cc:* ID Events Mailing List <id-event@ietf.org> > *Subject:* Re: [Id-event] Thread: Clarifying use of sub and iss in SET > tokens > > > > My vote is for #1. Iss and sub should take the definition from JWT. > > > > I fear that following the "access token confusion mitigation" logic here > basically means that "sub" can only be used by authorization & > authentication protocols which is wasn't the intent of the spec > <https://tools.ietf.org/html/rfc7519#section-4.1>. What is the point of > these standard claims if we can't use them? Will every new spec > prohibit/rename a different standard claim? This isn't scalable, and is > super confusing. > > > > Back-channel logout "breaks" the id token mix-up by prohibiting > <https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken> > 'nonce'. When I spoke to Breno about the overall risk, he suggested not > reusing "aud" in other systems (like RISC, SCIM, etc). OpenID Connect > defines "aud" to be the client-id. If *every other spec* uses a URI-based > approach for aud and recommends not re-using audience URIs between systems, > then we can avoid conflicts and usage mix-ups. > > > > If I recall correctly in Buenos Aires, the preference of +Mike was to keep > "sub" for compatibility with Backchannel Logout. > > > > I hope we can avoid going around in circles on this security topic, how > about I propose some new text for https://tools.ietf.org/ > html/draft-ietf-secevent-token-00#section-3.5 capturing the "aud" > suggestion? We can confine all such "access token confusion" matters to > that section, and just build the best SET spec we can without needing to > bake in hacks. > > > > Mandating that different systems use non-overlapping "aud" sets doesn't > not sound like a hack to me at all (unlike renaming "sub"), since the > audience of a SET stream is surely different to that of an AuthZ/N token. > > > > > > > > On Wed, Mar 1, 2017 at 10:27 AM, Phil Hunt <phil.hunt@oracle.com> wrote: > > In the comments on idtoken-07, Yaron raised concerns around the confusion > of “iss” of the subject of the event vs. issuer of the event. The current > text says that if there is a need to distinguish between “iss” of the “sub” > vs. “iss” of the event, then the event should place the “iss” of the > subject in the event payload area. > > > > I agree this does seem awkward. > > > > I have been thinking a related concern, that a SET could be confused as an > access token if it has a “sub” value. If we stop using “sub” then we’re > potentially causing web access management systems to reject SETs as invalid > access tokens — this is theoretically a GOOD THING. > > > > PLEASE INDICATE 1 or 2, or provide additional discussion. > > > > Two options: > > > > 1. Leave as is. > > > > 2. Create a new attribute object, “esub” (event subject) which is a JSON > object that contains the attributes needed to identify the subject. For > example: > > > > We currently have: > > { > > "jti": "fb4e75b5411e4e19b6c0fe87950f7749", > > > > "sub": "248289761001", > > "iat": 1458496025, > > "iss": "https://my.examplemed.com", > > "aud": [ > > "https://rp.example.com" > > ], > > "events": { > > "https://openid.net/heart/specs/consent.html":{ > > "iss":"https://connect.example.com", > > "consentUri":[ > > "https://terms.examplemed.com/labdisclosure.html#Agree" > > ] > > } > > } > > } > > > > Could be represented as: > > { > > "jti": "fb4e75b5411e4e19b6c0fe87950f7749", > > > > “esub": { > > “sub”:"248289761001”, > > "iss":"https://connect.example.com” > > } > > "iat": 1458496025, > > "iss": "https://my.examplemed.com", > > "aud": [ > > "https://rp.example.com" > > ], > > "events": { > > "https://openid.net/heart/specs/consent.html":{ > > "consentUri":[ > > "https://terms.examplemed.com/labdisclosure.html#Agree" > > ] > > } > > } > > } > > > > Comments: > > * “sub” remains untouched in the sense that it retains the meaning used in > traditional access tokens. > > * “esub” contains the full information to address the subject. No need to > look around for a second “iss” (which may or may not be there) > > > > To do this would require defining “esub” and sub-attributes like, “iss”, > “sub” (which follow current defs), and probably “uri” for those entities > that are referenceable as a URI. Examples of URI subjects: > > * in implicit federation (from RISC): “uri”:”mailto:phil.hunt@yahoo.com > <phil.hunt@yahoo.com>” > > * in SCIM where resources have URIs: “uri”:”https://scim.example. > com/Users/44f6142df96bd6ab61e7521d9" > > > > One catch. Profiling specs would not be able to define new ways of > addressing subjects with esub. > > > > Phil > > > > Oracle Corporation, Identity Cloud Services & Identity Standards > > @independentid > > www.independentid.com > > phil.hunt@oracle.com > > > > > > > > > > > > > > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://www.ietf.org/mailman/listinfo/id-event > > > > >
- [Id-event] Thread: Clarifying use of sub and iss … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Brian Campbell
- [Id-event] Making SETs distinct as JWTs (was: Re:… Phil Hunt
- Re: [Id-event] Making SETs distinct as JWTs (was:… Phil Hunt
- Re: [Id-event] Making SETs distinct as JWTs (was:… Marius Scurtescu
- Re: [Id-event] Making SETs distinct as JWTs (was:… Mike Jones
- Re: [Id-event] Making SETs distinct as JWTs (was:… Marius Scurtescu
- Re: [Id-event] Making SETs distinct as JWTs (was:… Brian Campbell
- Re: [Id-event] Making SETs distinct as JWTs Benjamin Kaduk
- Re: [Id-event] Making SETs distinct as JWTs (was:… Vivek Biswas
- Re: [Id-event] Making SETs distinct as JWTs (was:… Brian Campbell
- Re: [Id-event] Making SETs distinct as JWTs (was:… Phil Hunt (IDM)
- Re: [Id-event] Making SETs distinct as JWTs (was:… Mike Jones
- Re: [Id-event] Making SETs distinct as JWTs (was:… Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Justin Richer
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Justin Richer
- Re: [Id-event] Making SETs distinct as JWTs Yaron Sheffer
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Justin Richer
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones