IETF Logo Mail Archive

Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

William Denniss <wdenniss@google.com> Wed, 01 March 2017 20:13 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BB2F129690 for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 12:13:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lAMWWojhAczv for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 12:13:02 -0800 (PST)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B06C12968C for <id-event@ietf.org>; Wed, 1 Mar 2017 12:13:02 -0800 (PST)
Received: by mail-qk0-x233.google.com with SMTP id n186so86880780qkb.3 for <id-event@ietf.org>; Wed, 01 Mar 2017 12:13:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9a4cgE0cNbuQFx3B/dvWun054drsKOyHtyaVtrSgNsA=; b=pkie2ISVpsbLJ5S+FcKiUOfgM9b/YUCju3J6kHoQoiVzNzWiArjptLT0BKHu+QueZn V4MRSkRGjVB/Tr/ac9+ogyJ0T5c/5S99U2U8h9cPOMwl/C4YGPzYB2K8i4nxUSK0xWb5 /GTxZ3Xs6nfEQ+R4xPql29WX/7ooDKF4MUkllyZNH6RHk6HCZY3+qQM+R75r1xKoQ72z rq4cY/7Fjm6NbLa6PscAHnS9aY+gaRB2zMBZexN+wQVDdUemEQutd44kYgav0ampCBhj sjHf8AsxBmy6c+Ywb8jxz3rpDP4ILlmSLuX4ZqwyV1n42U8LrvgZd8is+evnwdFSk40J bvrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9a4cgE0cNbuQFx3B/dvWun054drsKOyHtyaVtrSgNsA=; b=lozjVCFja0rhxsn1ce6P82P9Ap/syqMz/1baircIeQDAnoSbPg8osTbh6G8G/0XEJe KTUpwl5qC/BSHAiMz3QGqvyAjxqkxuU5EYNcmUCWuH9jFHjjcsJ6pew97TfPnRqrIGK8 ssQOEF6grdB2F/gX40xbuljbGo5BhNgO8BqfR6n1Grx+9huLk6rox2feYIfwOw29yQqv QkwVyw5IObK2tkV8mhsFYVUqjhWUoPr1HbQeEJfP4HBxwatcxCkRc8IYiHMvNkB7617P QE36IsNSbPjd8L8uEMEhOtDAwq5eEi07Fnv/rz6shzhWWl30VqY35P+fkQDh/r+gqem9 197w==
X-Gm-Message-State: AMke39lni09BR6tFKIWmLoq1kVb+iCK3arHEagslJC6Tdhtvi+3DDRgoBn7waYqYPqRhA0sNJz14hf9XYqsFT41z
X-Received: by 10.55.181.1 with SMTP id e1mr12860528qkf.122.1488399181031; Wed, 01 Mar 2017 12:13:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Wed, 1 Mar 2017 12:12:40 -0800 (PST)
In-Reply-To: <CY4PR21MB05047835E14B3D375C0538F6F5290@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <CAAP42hAPZOHn-37wYrOy7OcvNuqWdXtSSMHxb_AoW7kXeAy4wA@mail.gmail.com> <CY4PR21MB050423CEEA9AB0CC64F0973FF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hD8FbZSKWiorKSZHqiidak4Gf071xKTD2d9EvZa13mt5g@mail.gmail.com> <CY4PR21MB05047835E14B3D375C0538F6F5290@CY4PR21MB0504.namprd21.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 01 Mar 2017 12:12:40 -0800
Message-ID: <CAAP42hB63GC9=7nqiayjnD9i5RG7Yu7CJVCtDZpNWTgLMrDJ8w@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="94eb2c06c64278b8880549b0f034"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/YXPAw3OBAgqbP2UT04s3lUeDxmw>
Cc: ID Events Mailing List <id-event@ietf.org>, Phil Hunt <phil.hunt@oracle.com>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 20:13:04 -0000

Seems to me that if you're using iss/aud in Connect you should be careful
in using that same iss/aud combination outside Connect.

What if the guidance is not an outright prohibition, but a security
consideration to "be careful", with a suggested mitigation (being not to
re-use iss/aud tuples outside of Connect).

On Wed, Mar 1, 2017 at 12:09 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> I suspect that lots of non-OpenID-Connect OAuth 2.0 use cases also use the
> Client ID as the Audience value, especially since some OAuth clients don’t
> even have a URL associated with them.  Trying to prohibit the use of Client
> IDs as audiences will likely break things that we’re not even aware of.
>
>
>
> *From:* William Denniss [mailto:wdenniss@google.com]
> *Sent:* Wednesday, March 1, 2017 12:06 PM
> *To:* Mike Jones <Michael.Jones@microsoft.com>
> *Cc:* Phil Hunt <phil.hunt@oracle.com>; ID Events Mailing List <
> id-event@ietf.org>
>
> *Subject:* Re: [Id-event] Thread: Clarifying use of sub and iss in SET
> tokens
>
>
>
>
>
>
>
> On Wed, Mar 1, 2017 at 11:33 AM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
> Hi William,
>
>
>
> I appreciate you supporting using the standard definitions for “sub” and
> “iss”.  That said, I then find it confusing that you are suggesting that
> people be prohibited from using “aud” (audience) in the standard way.
>
>
>
> I’ll also note that if you prohibit using “aud” in the standard way,
> you’ll both break the usage in the OpenID Connect Logout Token
> http://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken
> and in SETs https://tools.ietf.org/html/draft-ietf-secevent-token-00#
> section-2.1.  Please let’s not go there.
>
>
>
> I'm not suggesting an outright prohibition on "aud" being the client id, I
> realise my words were a little inarticulate.
>
>
>
> I see "aud as client id" as the domain of OpenID Connect (since that's
> where that usage of "aud" was defined). I completely understand why Connect
> Logout uses "aud as client id" and would expect other Connect specs to do
> so – but these specs understand Connect and can be written to avoid
> problems (as Logout does).
>
>
>
> My guidence would be that a *non*-Connect specs should use "aud as URI"
> (basically just !"aud as client id") to avoid accidently causing problems
> for Connect.
>
>
>
> When constrained that way, what do you think of the guidance?
>
>
>
> Implementations using both ID Tokens and SETs can already unambiguously
> distinguish between them by the presence of the “events” claim.  ID Tokens
> don’t use “events” whereas SETs do.  The fact that “nonce” is present in an
> ID Token but not SETs provides an extra means of rejecting SETs in ID Token
> contexts.  I don’t see there as being any actual practical problem to solve
> that rises to the level of causing us to do unnatural things to claims
> usage.
>
>
>
> +1
>
>
>
>
>
>                                                                 -- Mike
>
>
>
> *From:* William Denniss [mailto:wdenniss@google.com]
> *Sent:* Wednesday, March 1, 2017 11:21 AM
> *To:* Phil Hunt <phil.hunt@oracle.com>; Mike Jones <
> Michael.Jones@microsoft.com>
> *Cc:* ID Events Mailing List <id-event@ietf.org>
> *Subject:* Re: [Id-event] Thread: Clarifying use of sub and iss in SET
> tokens
>
>
>
> My vote is for #1.  Iss and sub should take the definition from JWT.
>
>
>
> I fear that following the "access token confusion mitigation" logic here
> basically means that "sub" can only be used by authorization &
> authentication protocols which is wasn't the intent of the spec
> <https://tools.ietf.org/html/rfc7519#section-4.1>.  What is the point of
> these standard claims if we can't use them? Will every new spec
> prohibit/rename a different standard claim? This isn't scalable, and is
> super confusing.
>
>
>
> Back-channel logout "breaks" the id token mix-up by prohibiting
> <https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken>
> 'nonce'.  When I spoke to Breno about the overall risk, he suggested not
> reusing "aud" in other systems (like RISC, SCIM, etc). OpenID Connect
> defines "aud" to be the client-id. If *every other spec* uses a URI-based
> approach for aud and recommends not re-using audience URIs between systems,
> then we can avoid conflicts and usage mix-ups.
>
>
>
> If I recall correctly in Buenos Aires, the preference of +Mike was to keep
> "sub" for compatibility with Backchannel Logout.
>
>
>
> I hope we can avoid going around in circles on this security topic, how
> about I propose some new text for https://tools.ietf.org/
> html/draft-ietf-secevent-token-00#section-3.5 capturing the "aud"
> suggestion?  We can confine all such "access token confusion" matters to
> that section, and just build the best SET spec we can without needing to
> bake in hacks.
>
>
>
> Mandating that different systems use non-overlapping "aud" sets doesn't
> not sound like a hack to me at all (unlike renaming "sub"), since the
> audience of a SET stream is surely different to that of an AuthZ/N token.
>
>
>
>
>
>
>
> On Wed, Mar 1, 2017 at 10:27 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
> In the comments on idtoken-07, Yaron raised concerns around the confusion
> of “iss” of the subject of the event vs. issuer of the event.  The current
> text says that if there is a need to distinguish between “iss” of the “sub”
> vs. “iss” of the event, then the event should place the “iss” of the
> subject in the event payload area.
>
>
>
> I agree this does seem awkward.
>
>
>
> I have been thinking a related concern, that a SET could be confused as an
> access token if it has a “sub” value.  If we stop using “sub” then we’re
> potentially causing web access management systems to reject SETs as invalid
> access tokens — this is theoretically a GOOD THING.
>
>
>
> PLEASE INDICATE 1 or 2, or provide additional discussion.
>
>
>
> Two options:
>
>
>
> 1. Leave as is.
>
>
>
> 2.  Create a new attribute object, “esub” (event subject) which is a JSON
> object that contains the attributes needed to identify the subject.  For
> example:
>
>
>
> We currently have:
>
>    {
>
>      "jti": "fb4e75b5411e4e19b6c0fe87950f7749",
>
>
>
>      "sub": "248289761001",
>
>      "iat": 1458496025,
>
>      "iss": "https://my.examplemed.com",
>
>      "aud": [
>
>        "https://rp.example.com"
>
>      ],
>
>      "events": {
>
>        "https://openid.net/heart/specs/consent.html":{
>
>          "iss":"https://connect.example.com",
>
>          "consentUri":[
>
>            "https://terms.examplemed.com/labdisclosure.html#Agree"
>
>          ]
>
>        }
>
>      }
>
>    }
>
>
>
> Could be represented as:
>
>    {
>
>      "jti": "fb4e75b5411e4e19b6c0fe87950f7749",
>
>
>
>      “esub": {
>
>        “sub”:"248289761001”,
>
>        "iss":"https://connect.example.com”
>
>      }
>
>      "iat": 1458496025,
>
>      "iss": "https://my.examplemed.com",
>
>      "aud": [
>
>        "https://rp.example.com"
>
>      ],
>
>      "events": {
>
>        "https://openid.net/heart/specs/consent.html":{
>
>          "consentUri":[
>
>            "https://terms.examplemed.com/labdisclosure.html#Agree"
>
>          ]
>
>        }
>
>      }
>
>    }
>
>
>
> Comments:
>
> * “sub” remains untouched in the sense that it retains the meaning used in
> traditional access tokens.
>
> * “esub” contains the full information to address the subject.  No need to
> look around for a second “iss” (which may or may not be there)
>
>
>
> To do this would require defining “esub” and sub-attributes like, “iss”,
> “sub” (which follow current defs), and probably “uri” for those entities
> that are referenceable as a URI.  Examples of URI subjects:
>
> *  in implicit federation (from RISC):   “uri”:”mailto:phil.hunt@yahoo.com
> <phil.hunt@yahoo.com>”
>
> *  in SCIM where resources have URIs:  “uri”:”https://scim.example.
> com/Users/44f6142df96bd6ab61e7521d9"
>
>
>
> One catch. Profiling specs would not be able to define new ways of
> addressing subjects with esub.
>
>
>
> Phil
>
>
>
> Oracle Corporation, Identity Cloud Services & Identity Standards
>
> @independentid
>
> www.independentid.com
>
> phil.hunt@oracle.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://www.ietf.org/mailman/listinfo/id-event
>
>
>
>
>

v2.23.0 | Report a Bug | By Email