IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

George Fletcher <gffletch@aol.com> Thu, 04 April 2019 14:07 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53FD21206AA for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 07:07:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EnfEQ-VIyKCk for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 07:07:03 -0700 (PDT)
Received: from sonic302-2.consmr.mail.bf2.yahoo.com (sonic302-2.consmr.mail.bf2.yahoo.com [74.6.135.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D34E21206A8 for <oauth@ietf.org>; Thu, 4 Apr 2019 07:07:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1554386821; bh=gOh2ao8kMXJ9Dsdkud67LMCgkVuF20J74kBvEIyl6B0=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=MytFvgIgrgstX63UbfbBCbgzTWZyChgXWh95ceBj6BtPoaksEaLhJqjTJMFgiBPf/8PRnTZwxTlgDzHIHBA/U8g/K2mKPackv9WJJWSS2hgY/z0TQ0/mqYd6Bj5KsvgVVw26XewsQ9WFzEpD8H8vM6qgScK74UzRp8y7tL8Kfo6HeeJU0u8/QVgJGDJpI38qTdk5YqpR5Uvtj3XtlgWbZq3od8ilVLGs5SElbuwZccgHVFalHJP7EY589CTtLbmyNNGkHDFkkRDQjfD2vGwHg5a6twczTk+ETDaAiRs7ANxR625J82XUidDV7sjVb51akB8at8bHWPndYseUYzEVyA==
X-YMail-OSG: .GW.qhMVM1mnR_u6Ytxl.BUfSIYmkrZehYfePXxQhb3Yu6piPwcP1aZTAC7cIIF 8bFPVsuulhOD0HkBgKiAfEDjforUhK_8qjO2Jiv7a_XZ1gao_5Sqdyh1FAE2VPVJaGLCqa6S76lC Ko3cSc09AICCvLt2mvROxChhPiy8COGkZwJ7reVMllHHf77aWm4i_XF_YbUmJ3dcO0j3lsXLoSJz u8MzqLMmkDkVTPvOmwQKoKoSnebCKCMxdCKvdhzeY1KuYN6Wud1dHNjv3Kx7k00L1QvpKONgjZBd yRmsuge26bY98M7DsU2Wwil4JJzUppiAEVI9GVdvbx0KOfd96yvZviw12KiaHx.0O_grjLLCR53X UHIYSY5998MFqixI760yaBCdo2abWQclFXS4IkBlZvOf4Z2KVcIiBgCOxmdLVRoBujMy8xNvl6M8 i1aQH.Kzfw2vRsZVxPDo.DzIrbKD4Sv5iRNjX64sKp6pQC7DzK1cjl222icDD.wzCqeQ9ZP9BQWg 4hojRRjivfMr6Wo2z_umiCHjqwiS6i08cRZlFmDEEM4wJ6vLNcv6iMWYDhk9ss5Y9V6kxOa2yyRy NQDpKw7U5qhZQlNVysdfBqQ6mW.FfegIkTbl7cYnKgV3yzqSIMBN_kxfHAACMaTS9Xj6CWSFX5X0 Fu4AVie08j64UEbh9UPyTLma19JWijIYWugdb1Wqr05R71SHOT5HzeBKBRp9VJh9q69UcG1S.YXj iQ0rh5C9soKtte9.3HlON.sIEW_f_aRdKfN5Uybo9smjlw64I63TP2QL7hUKgBU27GsmCYvxeOql g8mg04OqJz4mJ5wjEk_k9K3O3mXn0E2zGxUq0V.Khjv8Sl834VGoyUOjslLiH9fS3tDXsGY61WR8 hadUQCwXMHoqCrYPpTvR3E6s2mzisXO5x48FU0yzjIePYKi8H0b9AyL2527PQ6WNCG.6fSU4XOQX GPPuh0ObDeyD55olzro_kBajZ7mcYdl8wAUJVDyd28xMQhu8pNSrxPChUuBoyj0QWgC_URFfFG4V nrRF6IwJtvxU3ReOoPXJe5nJiMJGqEQcOni4HKPlYJ69vPbUXdIGSbexSHBgCvU08BA--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.bf2.yahoo.com with HTTP; Thu, 4 Apr 2019 14:07:01 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp426.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 15a591e38e1277f0b5bf80a37b3d1e58; Thu, 04 Apr 2019 14:06:58 +0000 (UTC)
To: Vittorio@auth0.com, IETF oauth WG <oauth@ietf.org>
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <62e62afb-891d-f7d8-8b39-793254dadf7b@aol.com>
Date: Thu, 04 Apr 2019 10:06:57 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------0F187D3EACDFE3DE4DCF446C"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-VERF_QLIDBchDYw9q0o3wWJQXw>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 14:07:07 -0000

Another comment...

    aud  REQUIRED - as defined in section 2 of [OpenID.Core  <https://tools.ietf.org/html/draft-bertocci-oauth-access-token-jwt-00#ref-OpenID.Core>].  See
       Section 3  <https://tools.ietf.org/html/draft-bertocci-oauth-access-token-jwt-00#section-3>  for indications on how an authorization server should
       determine the value of aud depending on the request.  [Note: some
       vendors seem to rely on resource aliases.  If we believe this to
       be a valuable feature, here's some proposed language: The aud
       claim MAY include a list of individual resource indicators if they
       are all aliases referring to the same requested resource known by
       the authorization server. ]



I don't think OpenID.Core Section 3 is the correct reference for 
determining the 'aud' value. The issue here is that the 'aud' of the 
id_token is the recipient of the id_token (i.e. the client). However, 
for access_tokens the 'aud' value should be the resource service that 
will receive the access_token. There is no existing guidance for this 
and we should provide such guidance as this is "kind of new" for OAuth2 
(from an explicit specification perspective).

Also, there is the concept of 'azp' from the id_token which amounts to 
"who's allowed to present this token" which might be interesting from 
the case where one entity obtains the token, and gives it to another 
entity to present. Not sure if we want to include this concept or not.

Finally, I think we may need some best practice around how the concept 
of audience and resource should be managed. For instance...

    If the request does not include a resource parameter, the
    authorization server MUST use in the aud claim a default resource
    indicator.  If a scope parameter is present in the request, the
    authorization server SHOULD use it to infer the value of the default
    resource indicator to be used in the aud claim.

I think for most implementations this would amount to... define an 
audience that covers all the resource services where the access token 
can be returned and set that as the audience (e.g. urn:x-mydomain:apis). 
Which is perfectly legal but maybe not in the spirit of the spec:) I am 
receiving feedback from developers that binding access tokens narrowly 
to the resource where they will be presented is concerning from a 
chattiness perspective (latency issues) and general load on the deployed 
AS infrastructure.

On 3/24/19 7:29 PM, Vittorio Bertocci wrote:
> Dear all,
> I just submitted a draft describing a JWT profile for OAuth 2.0 access 
> tokens. You can find it in 
> https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/.
> I have a slot to discuss this tomorrow at IETF 104 (I'll be presenting 
> remotely). I look forward for your comments!
>
> Here's just a bit of backstory, in case you are interested in how this 
> doc came to be. The trajectory it followed is somewhat unusual.
>
>   * Despite OAuth2 not requiring any specific format for ATs, through
>     the years I have come across multiple proprietary solution using
>     JWT for their access token. The intent and scenarios addressed by
>     those solutions are mostly the same across vendors, but the syntax
>     and interpretations in the implementations are different enough to
>     prevent developers from reusing code and skills when moving from
>     product to product.
>   * I asked several individuals from key products and services to
>     share with me concrete examples of their JWT access tokens (THANK
>     YOU Dominick Baier (IdentityServer), Brian Campbell
>     (PingIdentity), Daniel Dobalian (Microsoft), Karl Guinness (Okta)
>     for the tokens and explanations!).
>     I studied and compared all those instances, identifying
>     commonalities and differences.
>   * I put together a presentation summarizing my findings and
>     suggesting a rough interoperable profile (slides:
>     https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx
>     <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx>
>     ) - got early feedback from Filip Skokan on it. Thx Filip!
>   * The presentation was followed up by 1.5 hours of unconference
>     discussion, which was incredibly valuable to get tight-loop
>     feedback and incorporate new ideas. John Bradley, Brian Campbell
>     Vladimir Dzhuvinov, Torsten Lodderstedt, Nat Sakimura, Hannes
>     Tschofenig were all there and contributed generously to the
>     discussion. Thank you!!!
>     Note: if you were at OSW2019, participated in the discussion and
>     didn't get credited in the draft, my apologies: please send me a
>     note and I'll make things right at the next update.
>   * On my flight back I did my best to incorporate all the ideas and
>     feedback in a draft, which will be discussed at IETF104 tomorrow.
>     Rifaat, Hannes and above all Brian were all super helpful in
>     negotiating the mysterious syntax of the RFC format and submission
>     process.
>
> I was blown away by the availability, involvement and willingness to 
> invest time to get things right that everyone demonstrated in the 
> process. This is an amazing community.
> V.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email