IETF Logo Mail Archive

Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

William Denniss <wdenniss@google.com> Wed, 01 March 2017 20:06 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D10F129690 for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 12:06:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6XhSFX1bO6FR for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 12:06:37 -0800 (PST)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36140129688 for <id-event@ietf.org>; Wed, 1 Mar 2017 12:06:37 -0800 (PST)
Received: by mail-qk0-x230.google.com with SMTP id u188so89215532qkc.2 for <id-event@ietf.org>; Wed, 01 Mar 2017 12:06:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=N27Eze8f6iXfsQDkz/iBdHBt3PVhJJK30CFNyNUFEQM=; b=cWpDP6D5bjUsxr8GJ1XEYHBuVqI+pTLefDVAbDv6ujhhmqYfO6+s6COcPjhhrC/SxT h8SbrzyiPNdb4iFbDPL+bHR1eMPpZj2KdOCG1HeCvCspMzurHzat4rds8+dmcduhOIJ6 KvkO06mTWxHXqc2cOu8WqMkkGHOcQTym7YffgI2Sd5TjXcwfPaJDfEpEIFG3Dr776Nzu 8o9tUPZOjcNN9L5CZ5frb0qjPXiX3lg4h0rfrqTA7fs1yWZy8QlbCpJPsv94TirqUgyn yp6Uo/ISearY55t5M7jHgtay7mfhRm4w2m5PhuPc5iSW5jc10FAMq2HaYAuEpFTkY81B Cw8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=N27Eze8f6iXfsQDkz/iBdHBt3PVhJJK30CFNyNUFEQM=; b=TvuuSwOHq0xNnf/leZV/Hvp9QJzGgsXnWev0jSeHQ+Bt0wYZC83uXR7PT08JyBKps5 EQUmD2zGennO6Qp1g01SQlb7SDKLWRGi9zBppfjHUt4NkzwddWmO8sBMi2XmFI1CkQXD aKJD6EuhWksIklxN8u6XWMrwFsmWsIPQjGhSMmRHEqOGih8p8mDLU5m277oT4p1SIaXo 9xUzYpQWBzyEfw+4YDICVFFR3XAsRDQEFEXLStQX96g3SygD7a1GukWHVVFY+178fRp3 b4wHx7/yWy+PodxQWIYGBDHuYmvV5E4/j23n1h91HoHGyd3QPyQRDsDSPW+4oVyVDTUI uzCg==
X-Gm-Message-State: AMke39niRhAuj6xZr2B5aGULbwxma/6x3FPo6h0yZGwiolf6mZuXSt0/SBfiFLO58BS4GIc76mtePsLpgE5RtpQt
X-Received: by 10.200.44.156 with SMTP id 28mr12816065qtw.48.1488398796100; Wed, 01 Mar 2017 12:06:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Wed, 1 Mar 2017 12:06:15 -0800 (PST)
In-Reply-To: <CY4PR21MB050423CEEA9AB0CC64F0973FF5290@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <CAAP42hAPZOHn-37wYrOy7OcvNuqWdXtSSMHxb_AoW7kXeAy4wA@mail.gmail.com> <CY4PR21MB050423CEEA9AB0CC64F0973FF5290@CY4PR21MB0504.namprd21.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Wed, 01 Mar 2017 12:06:15 -0800
Message-ID: <CAAP42hD8FbZSKWiorKSZHqiidak4Gf071xKTD2d9EvZa13mt5g@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11376fac86f2b40549b0d932"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/mB2avpI9BaD32Tn-JK6uj5o8Bhg>
Cc: ID Events Mailing List <id-event@ietf.org>, Phil Hunt <phil.hunt@oracle.com>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 20:06:39 -0000

On Wed, Mar 1, 2017 at 11:33 AM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> Hi William,
>
>
>
> I appreciate you supporting using the standard definitions for “sub” and
> “iss”.  That said, I then find it confusing that you are suggesting that
> people be prohibited from using “aud” (audience) in the standard way.
>
>
>
> I’ll also note that if you prohibit using “aud” in the standard way,
> you’ll both break the usage in the OpenID Connect Logout Token
> http://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken
> and in SETs https://tools.ietf.org/html/draft-ietf-secevent-token-00#
> section-2.1.  Please let’s not go there.
>

I'm not suggesting an outright prohibition on "aud" being the client id, I
realise my words were a little inarticulate.

I see "aud as client id" as the domain of OpenID Connect (since that's
where that usage of "aud" was defined). I completely understand why Connect
Logout uses "aud as client id" and would expect other Connect specs to do
so – but these specs understand Connect and can be written to avoid
problems (as Logout does).

My guidence would be that a *non*-Connect specs should use "aud as URI"
(basically just !"aud as client id") to avoid accidently causing problems
for Connect.

When constrained that way, what do you think of the guidance?

Implementations using both ID Tokens and SETs can already unambiguously
> distinguish between them by the presence of the “events” claim.  ID Tokens
> don’t use “events” whereas SETs do.  The fact that “nonce” is present in an
> ID Token but not SETs provides an extra means of rejecting SETs in ID Token
> contexts.  I don’t see there as being any actual practical problem to solve
> that rises to the level of causing us to do unnatural things to claims
> usage.
>

+1


>
>
>                                                                 -- Mike
>
>
>
> *From:* William Denniss [mailto:wdenniss@google.com]
> *Sent:* Wednesday, March 1, 2017 11:21 AM
> *To:* Phil Hunt <phil.hunt@oracle.com>; Mike Jones <
> Michael.Jones@microsoft.com>
> *Cc:* ID Events Mailing List <id-event@ietf.org>
> *Subject:* Re: [Id-event] Thread: Clarifying use of sub and iss in SET
> tokens
>
>
>
> My vote is for #1.  Iss and sub should take the definition from JWT.
>
>
>
> I fear that following the "access token confusion mitigation" logic here
> basically means that "sub" can only be used by authorization &
> authentication protocols which is wasn't the intent of the spec
> <https://tools.ietf.org/html/rfc7519#section-4.1>.  What is the point of
> these standard claims if we can't use them? Will every new spec
> prohibit/rename a different standard claim? This isn't scalable, and is
> super confusing.
>
>
>
> Back-channel logout "breaks" the id token mix-up by prohibiting
> <https://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken>
> 'nonce'.  When I spoke to Breno about the overall risk, he suggested not
> reusing "aud" in other systems (like RISC, SCIM, etc). OpenID Connect
> defines "aud" to be the client-id. If *every other spec* uses a URI-based
> approach for aud and recommends not re-using audience URIs between systems,
> then we can avoid conflicts and usage mix-ups.
>
>
>
> If I recall correctly in Buenos Aires, the preference of +Mike was to keep
> "sub" for compatibility with Backchannel Logout.
>
>
>
> I hope we can avoid going around in circles on this security topic, how
> about I propose some new text for https://tools.ietf.org/
> html/draft-ietf-secevent-token-00#section-3.5 capturing the "aud"
> suggestion?  We can confine all such "access token confusion" matters to
> that section, and just build the best SET spec we can without needing to
> bake in hacks.
>
>
>
> Mandating that different systems use non-overlapping "aud" sets doesn't
> not sound like a hack to me at all (unlike renaming "sub"), since the
> audience of a SET stream is surely different to that of an AuthZ/N token.
>
>
>
>
>
>
>
> On Wed, Mar 1, 2017 at 10:27 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
> In the comments on idtoken-07, Yaron raised concerns around the confusion
> of “iss” of the subject of the event vs. issuer of the event.  The current
> text says that if there is a need to distinguish between “iss” of the “sub”
> vs. “iss” of the event, then the event should place the “iss” of the
> subject in the event payload area.
>
>
>
> I agree this does seem awkward.
>
>
>
> I have been thinking a related concern, that a SET could be confused as an
> access token if it has a “sub” value.  If we stop using “sub” then we’re
> potentially causing web access management systems to reject SETs as invalid
> access tokens — this is theoretically a GOOD THING.
>
>
>
> PLEASE INDICATE 1 or 2, or provide additional discussion.
>
>
>
> Two options:
>
>
>
> 1. Leave as is.
>
>
>
> 2.  Create a new attribute object, “esub” (event subject) which is a JSON
> object that contains the attributes needed to identify the subject.  For
> example:
>
>
>
> We currently have:
>
>    {
>
>      "jti": "fb4e75b5411e4e19b6c0fe87950f7749",
>
>
>
>      "sub": "248289761001",
>
>      "iat": 1458496025,
>
>      "iss": "https://my.examplemed.com",
>
>      "aud": [
>
>        "https://rp.example.com"
>
>      ],
>
>      "events": {
>
>        "https://openid.net/heart/specs/consent.html":{
>
>          "iss":"https://connect.example.com",
>
>          "consentUri":[
>
>            "https://terms.examplemed.com/labdisclosure.html#Agree"
>
>          ]
>
>        }
>
>      }
>
>    }
>
>
>
> Could be represented as:
>
>    {
>
>      "jti": "fb4e75b5411e4e19b6c0fe87950f7749",
>
>
>
>      “esub": {
>
>        “sub”:"248289761001”,
>
>        "iss":"https://connect.example.com”
>
>      }
>
>      "iat": 1458496025,
>
>      "iss": "https://my.examplemed.com",
>
>      "aud": [
>
>        "https://rp.example.com"
>
>      ],
>
>      "events": {
>
>        "https://openid.net/heart/specs/consent.html":{
>
>          "consentUri":[
>
>            "https://terms.examplemed.com/labdisclosure.html#Agree"
>
>          ]
>
>        }
>
>      }
>
>    }
>
>
>
> Comments:
>
> * “sub” remains untouched in the sense that it retains the meaning used in
> traditional access tokens.
>
> * “esub” contains the full information to address the subject.  No need to
> look around for a second “iss” (which may or may not be there)
>
>
>
> To do this would require defining “esub” and sub-attributes like, “iss”,
> “sub” (which follow current defs), and probably “uri” for those entities
> that are referenceable as a URI.  Examples of URI subjects:
>
> *  in implicit federation (from RISC):   “uri”:”mailto:phil.hunt@yahoo.com
> <phil.hunt@yahoo.com>”
>
> *  in SCIM where resources have URIs:  “uri”:”https://scim.example.
> com/Users/44f6142df96bd6ab61e7521d9"
>
>
>
> One catch. Profiling specs would not be able to define new ways of
> addressing subjects with esub.
>
>
>
> Phil
>
>
>
> Oracle Corporation, Identity Cloud Services & Identity Standards
>
> @independentid
>
> www.independentid.com
>
> phil.hunt@oracle.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://www.ietf.org/mailman/listinfo/id-event
>
>
>

v2.23.0 | Report a Bug | By Email