Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
William Denniss <wdenniss@google.com> Wed, 01 March 2017 20:09 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF738129688 for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 12:09:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4MIfgD_zMiZP for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 12:09:15 -0800 (PST)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2558129684 for <id-event@ietf.org>; Wed, 1 Mar 2017 12:09:14 -0800 (PST)
Received: by mail-qk0-x231.google.com with SMTP id s186so89014520qkb.1 for <id-event@ietf.org>; Wed, 01 Mar 2017 12:09:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3xodFsr4SDIe1mIOg6wVFFqyERXUjtjokWtqqtGMXNQ=; b=DMLh4c+rCZJVRcrI48+Y12sz9Q0+H7XL8/mFEVD1wrGXw2/tOCXGTRsQZq6LzAhWF9 Tn3ibL9nyMe2QKEywUscjliW7qPal1qGv9hHM7dGj2PGMK0mwPDGniy4XAko3an1ny9H OsGb/PYmKvOTEXqLdxCBVQiUpDwxIAA6JMHnJwzDKojpWtzQZ9LFc0zNIGV2+SZplepk UDDK9afm8BayJKq+NvOHjl9NbePQ4ec23aR25sYkp+risvraGjd4t4yjvjtaXaEIE6bG KwNELd1ppm+Tb7GkJUkuXZs/4nKz6xlOmoiMFOc4b8YEzF0WAIwI3urEusS2otuT0llE 3ZHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3xodFsr4SDIe1mIOg6wVFFqyERXUjtjokWtqqtGMXNQ=; b=erVw4wMQLGjYWYIeXC4xSv/DmQ/wCSZt2bxfNhQKo0t31Mspyc6tDtmWyUWgGF07yJ 4RtEMSaqOMjHSvsLCB3u0z669mi99LIpUxwsAWCIa1ei6PScmebIDf3mkY7eb4i9eSe5 j9ZE06ZwHPTeGWrMlLXgHvbuXDomEpMaHHmgDF6ityOOGpVN2HfD1A7sh+YBK9gu/HyP pG+Xry9x/a+HXKP0ZPQ4mXkYYoGtSQVdNpeG0QOPLmkYUf/t3wSB9OjAlAJ+K+zQC3xO GR4HrOKPAgJ3TLl5PEj75jp6cFZV5xJQctQMot3+GIJEEkbePKM8fPng4fybLb1veuof gF9w==
X-Gm-Message-State: AMke39mjiCEiuWKgTy6Yv4cOf3B2EJgC0YkvABsG4AIJHpSOUfbj09E27D9o08vOrm5Xc3wDbsIS1J6bYXXE+kjX
X-Received: by 10.55.198.76 with SMTP id b73mr12929771qkj.54.1488398953401; Wed, 01 Mar 2017 12:09:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Wed, 1 Mar 2017 12:08:52 -0800 (PST)
In-Reply-To: <CY4PR21MB05046199373561CBFF5F53CBF5290@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <CAAP42hAPZOHn-37wYrOy7OcvNuqWdXtSSMHxb_AoW7kXeAy4wA@mail.gmail.com> <EBD62E0D-3D12-4785-8421-7D92035DE5F5@oracle.com> <CY4PR21MB05046199373561CBFF5F53CBF5290@CY4PR21MB0504.namprd21.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 01 Mar 2017 12:08:52 -0800
Message-ID: <CAAP42hDvHrUq__5A_OLPVY5YxtvfSEtNyQEJBGgw9mFY8HA_Ow@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11c17a74e96cd50549b0e21c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/dBkI-8RKYMLI-FKr1c07w5ii834>
Cc: ID Events Mailing List <id-event@ietf.org>, Phil Hunt <phil.hunt@oracle.com>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 20:09:17 -0000
On Wed, Mar 1, 2017 at 11:47 AM, Mike Jones <Michael.Jones@microsoft.com> wrote: > In many of the cases, the issuer of the SET will be the same as the issuer > of the subject of the event, since it’s the issuer that’s authoritative for > both in most cases. Only in the case that the party issuing the event is > different from the party that the event is about (which I think will be a > less common case) will it be necessary to have a second issuer. And in > that case, we already have syntax for that second issuer – which becomes a > parameter to the event. > +1 > > > The way that “iss” and “sub” are bound together syntactically is that > they’re members of the same JSON object. If you want to have a second > issuer and subject, they would also be members of a JSON object – in that > case, the JSON object for the event parameters. > > > > As I wrote in the (now forked) response to William, we should steer clear > of requiring people to use claims in unnatural ways. For instance, “aud” > (audience) restrictions would violate this principle. > I wasn't suggesting a normative restriction, rather a security consideration. One that could accommodate the Logout use-case, but hopefully avoid other people accidentally clobbering Connect. > > > Given that OpenID Connect Core the use of “nonce” in ID Tokens, I think > it’s sufficient for OpenID Connect Back-Channel Logout to prohibit its use > in Logout Tokens. Both are OpenID-specific. I don’t think we need to say > anything in the SET spec about OpenID-specific claims. > +1 > > > -- Mike > > > > *From:* Phil Hunt [mailto:phil.hunt@oracle.com] > *Sent:* Wednesday, March 1, 2017 11:37 AM > *To:* William Denniss <wdenniss@google.com> > *Cc:* Mike Jones <Michael.Jones@microsoft.com>; ID Events Mailing List < > id-event@ietf.org> > *Subject:* Re: [Id-event] Thread: Clarifying use of sub and iss in SET > tokens > > > > +1 I like the idea of prohibiting ‘nonce”. Would be great to have a > proposal for the “aud” text. > > > > I’m neutral on this stuff. In proposing 2, I was responding to the > awkwardness that Yaron pointed. I was trying to think of something that > cleanly separates SET use of subject from the way access tokens use it. I > wanted to bind together the “iss” and “sub” as they often go together. I’m > not a fan of having “iss” colliding with the issuer of the SET….I wish > there was a better way to keep “sub” and “iss” closer together. > > > > Phil > > > > Oracle Corporation, Identity Cloud Services & Identity Standards > > @independentid > > www.independentid.com > > phil.hunt@oracle.com > > > > > > > > > > > > > > On Mar 1, 2017, at 11:20 AM, William Denniss <wdenniss@google.com> wrote: > > > > My vote is for #1. Iss and sub should take the definition from JWT. > > > > I fear that following the "access token confusion mitigation" logic here > basically means that "sub" can only be used by authorization & > authentication protocols which is wasn't the intent of the spec > <https://tools.ietf.org/html/rfc7519#section-4.1>. What is the point of > these standard claims if we can't use them? Will every new spec > prohibit/rename a different standard claim? This isn't scalable, and is > super confusing. > > > > Back-channel logout "breaks" the id token mix-up by prohibiting > <https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken> > 'nonce'. When I spoke to Breno about the overall risk, he suggested not > reusing "aud" in other systems (like RISC, SCIM, etc). OpenID Connect > defines "aud" to be the client-id. If *every other spec* uses a URI-based > approach for aud and recommends not re-using audience URIs between systems, > then we can avoid conflicts and usage mix-ups. > > > > If I recall correctly in Buenos Aires, the preference of +Mike was to keep > "sub" for compatibility with Backchannel Logout. > > > > I hope we can avoid going around in circles on this security topic, how > about I propose some new text for https://tools.ietf.org/htm > l/draft-ietf-secevent-token-00#section-3.5 capturing the "aud" > suggestion? We can confine all such "access token confusion" matters to > that section, and just build the best SET spec we can without needing to > bake in hacks. > > > > Mandating that different systems use non-overlapping "aud" sets doesn't > not sound like a hack to me at all (unlike renaming "sub"), since the > audience of a SET stream is surely different to that of an AuthZ/N token. > > > > > > > > On Wed, Mar 1, 2017 at 10:27 AM, Phil Hunt <phil.hunt@oracle.com> wrote: > > In the comments on idtoken-07, Yaron raised concerns around the confusion > of “iss” of the subject of the event vs. issuer of the event. The current > text says that if there is a need to distinguish between “iss” of the “sub” > vs. “iss” of the event, then the event should place the “iss” of the > subject in the event payload area. > > > > I agree this does seem awkward. > > > > I have been thinking a related concern, that a SET could be confused as an > access token if it has a “sub” value. If we stop using “sub” then we’re > potentially causing web access management systems to reject SETs as invalid > access tokens — this is theoretically a GOOD THING. > > > > PLEASE INDICATE 1 or 2, or provide additional discussion. > > > > Two options: > > > > 1. Leave as is. > > > > 2. Create a new attribute object, “esub” (event subject) which is a JSON > object that contains the attributes needed to identify the subject. For > example: > > > > We currently have: > > { > > "jti": "fb4e75b5411e4e19b6c0fe87950f7749", > > > > "sub": "248289761001", > > "iat": 1458496025, > > "iss": "https://my.examplemed.com", > > "aud": [ > > "https://rp.example.com" > > ], > > "events": { > > "https://openid.net/heart/specs/consent.html":{ > > "iss":"https://connect.example.com", > > "consentUri":[ > > "https://terms.examplemed.com/labdisclosure.html#Agree" > > ] > > } > > } > > } > > > > Could be represented as: > > { > > "jti": "fb4e75b5411e4e19b6c0fe87950f7749", > > > > “esub": { > > “sub”:"248289761001”, > > "iss":"https://connect.example.com” > > } > > "iat": 1458496025, > > "iss": "https://my.examplemed.com", > > "aud": [ > > "https://rp.example.com" > > ], > > "events": { > > "https://openid.net/heart/specs/consent.html":{ > > "consentUri":[ > > "https://terms.examplemed.com/labdisclosure.html#Agree" > > ] > > } > > } > > } > > > > Comments: > > * “sub” remains untouched in the sense that it retains the meaning used in > traditional access tokens. > > * “esub” contains the full information to address the subject. No need to > look around for a second “iss” (which may or may not be there) > > > > To do this would require defining “esub” and sub-attributes like, “iss”, > “sub” (which follow current defs), and probably “uri” for those entities > that are referenceable as a URI. Examples of URI subjects: > > * in implicit federation (from RISC): “uri”:”mailto:phil.hunt@yahoo.com > <phil.hunt@yahoo.com>” > > * in SCIM where resources have URIs: “uri”:”https://scim.example.c > om/Users/44f6142df96bd6ab61e7521d9" > > > > One catch. Profiling specs would not be able to define new ways of > addressing subjects with esub. > > > > Phil > > > > Oracle Corporation, Identity Cloud Services & Identity Standards > > @independentid > > www.independentid.com > > phil.hunt@oracle.com > > > > > > > > > > > > > > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://www.ietf.org/mailman/listinfo/id-event > > > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://www.ietf.org/mailman/listinfo/id-event > > >
- [Id-event] Thread: Clarifying use of sub and iss … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Brian Campbell
- [Id-event] Making SETs distinct as JWTs (was: Re:… Phil Hunt
- Re: [Id-event] Making SETs distinct as JWTs (was:… Phil Hunt
- Re: [Id-event] Making SETs distinct as JWTs (was:… Marius Scurtescu
- Re: [Id-event] Making SETs distinct as JWTs (was:… Mike Jones
- Re: [Id-event] Making SETs distinct as JWTs (was:… Marius Scurtescu
- Re: [Id-event] Making SETs distinct as JWTs (was:… Brian Campbell
- Re: [Id-event] Making SETs distinct as JWTs Benjamin Kaduk
- Re: [Id-event] Making SETs distinct as JWTs (was:… Vivek Biswas
- Re: [Id-event] Making SETs distinct as JWTs (was:… Brian Campbell
- Re: [Id-event] Making SETs distinct as JWTs (was:… Phil Hunt (IDM)
- Re: [Id-event] Making SETs distinct as JWTs (was:… Mike Jones
- Re: [Id-event] Making SETs distinct as JWTs (was:… Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Justin Richer
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Justin Richer
- Re: [Id-event] Making SETs distinct as JWTs Yaron Sheffer
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … William Denniss
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Justin Richer
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt
- Re: [Id-event] Thread: Clarifying use of sub and … Marius Scurtescu
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones
- Re: [Id-event] Thread: Clarifying use of sub and … Phil Hunt (IDM)
- Re: [Id-event] Thread: Clarifying use of sub and … Benjamin Kaduk
- Re: [Id-event] Thread: Clarifying use of sub and … Mike Jones