IETF Logo Mail Archive

Re: [OAUTH-WG] the meaning of audience in SAML vs. OAuth

Mike Jones <Michael.Jones@microsoft.com> Thu, 14 March 2013 18:57 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB84B21F8E95 for <oauth@ietfa.amsl.com>; Thu, 14 Mar 2013 11:57:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.274
X-Spam-Level:
X-Spam-Status: No, score=-1.274 tagged_above=-999 required=5 tests=[AWL=1.325, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k6CUATOYPG15 for <oauth@ietfa.amsl.com>; Thu, 14 Mar 2013 11:57:25 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0236.outbound.protection.outlook.com [207.46.163.236]) by ietfa.amsl.com (Postfix) with ESMTP id 0833D21F8CF4 for <oauth@ietf.org>; Thu, 14 Mar 2013 11:57:24 -0700 (PDT)
Received: from BY2FFO11FD027.protection.gbl (10.1.15.201) by BY2FFO11HUB031.protection.gbl (10.1.14.116) with Microsoft SMTP Server (TLS) id 15.0.620.12; Thu, 14 Mar 2013 18:57:22 +0000
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD027.mail.protection.outlook.com (10.1.15.216) with Microsoft SMTP Server (TLS) id 15.0.620.12 via Frontend Transport; Thu, 14 Mar 2013 18:57:22 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.132]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.02.0318.003; Thu, 14 Mar 2013 18:56:47 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: prateek mishra <prateek.mishra@oracle.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: the meaning of audience in SAML vs. OAuth
Thread-Index: AQHOIOU/KjjTc25PPUqM2lCcj10XjJiliUdQ
Date: Thu, 14 Mar 2013 18:56:46 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943675115B6@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <1362079266.8952.YahooMailClassic@web141002.mail.bf1.yahoo.com> <512FCDF0.6010807@gmx.net> <5141EE22.2030306@oracle.com> <F38E6D5B-0062-4B27-BC93-1FB398F8808A@gmx.net> <51421CA0.7010400@oracle.com>
In-Reply-To: <51421CA0.7010400@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(199002)(24454001)(377454001)(189002)(51704002)(13464002)(65816001)(54356001)(4396001)(56816002)(33656001)(69226001)(47736001)(50466001)(31966008)(66066001)(53806001)(77982001)(46102001)(79102001)(50986001)(51856001)(56776001)(74502001)(47446002)(80022001)(46406002)(20776003)(47776003)(15202345001)(74662001)(76482001)(59766001)(23726001)(47976001)(63696002)(16406001)(5343655001)(55846006)(49866001)(44976002)(54316002)(550254004); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB031; H:TK5EX14MLTC104.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0785459C39
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] the meaning of audience in SAML vs. OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 18:57:25 -0000

The JWT meaning of the term "audience" is intended to be the same as SAML.  Suggested wording clarifications would be welcomed.

				-- Mike

-----Original Message-----
From: prateek mishra [mailto:prateek.mishra@oracle.com] 
Sent: Thursday, March 14, 2013 11:53 AM
To: Hannes Tschofenig; Mike Jones
Cc: oauth@ietf.org
Subject: the meaning of audience in SAML vs. OAuth

Hannes - you make a good point.

I believe that the usage of "audience" in http://www.ietf.org/id/draft-ietf-oauth-json-web-token-06.txt

also corresponds to <saml:destination> rather than <saml:audience>.

[quote-jwt06]
The aud (audience) claim identifies the audiences that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in audience claim. If the principal processing the claim does not identify itself with a value in the aud claim, then the JWT MUST be rejected. In the general case, the aud value is an array of case sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the aud value MAY be a single case sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific. Use of this claim is OPTIONAL.
[\quote]

I think this is a point of quite some confusion (a similar problem arose during the SAML assertion drafts discussion on Tuesday).

To the extent that JWT re-uses concepts and names from SAML, I dont think this is the correct name with the semantics implied by the processing rules given in jwt06.

- prateek





> Hi Prateek,
>
> I never had planned to make the term audience to align with the SAML specification.
> However, in case this could lead to confusion we could also define a different term.
>
> Btw, did you look at the JWT spec whether the audience term there is inline with the SAML spec?
>
> Ciao
> Hannes
>
> On Mar 14, 2013, at 11:34 AM, prateek mishra wrote:
>
>> Hi Hannes,
>>
>> I wanted to point out that use of the term "audience" in this document is not consistent with the SAML 2.0 specification.
>>
>>
>> What you are referring to here as "audience" corresponds to 
>> <saml:destination> which is described as
>>
>> [quote-saml2.0]
>> Destination [Optional]
>> A URI reference indicating the address to which this request has been 
>> sent. This is useful to prevent malicious forwarding of requests to 
>> unintended recipients, a protection that is required by some protocol 
>> bindings. If it is present, the actual recipient MUST check that the 
>> URI reference identifies the location at which the message was received. If it does not, the request MUST be discarded. Some protocol bindings may require the use of this attribute (see [SAMLBind]).
>> [\quote]
>>
>> In contrast, <saml:audience>  is a means of limiting the liability of 
>> the asserting party and is described in the following manner -
>>
>> [quote-saml2.0]
>>   <Audience>
>> A URI reference that identifies an intended audience. The URI 
>> reference MAY identify a document that describes the terms and 
>> conditions of audience membership. It MAY also contain the unique identifier URI from a SAML name identifier that describes a system entity (see Section 8.3.6).
>> The audience restriction condition evaluates to Valid if and only if 
>> the SAML relying party is a member of one or more of the audiences specified.
>>
>> The SAML asserting party cannot prevent a party to whom the assertion 
>> is disclosed from taking action on the basis of the information 
>> provided. However, the <AudienceRestriction> element allows the SAML 
>> asserting party to state explicitly that no warranty is provided to 
>> such a party in a machine- and human-readable form. While there can 
>> be no guarantee that a court would uphold such a warranty exclusion in every circumstance, the probability of upholding the warranty exclusion is considerably improved.
>> [\quote]
>>
>> - prateek
>>
>>

v2.23.0 | Report a Bug | By Email