IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 10 September 2020 11:39 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBF503A08E2 for <oauth@ietfa.amsl.com>; Thu, 10 Sep 2020 04:39:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.137
X-Spam-Level:
X-Spam-Status: No, score=0.137 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, LONGWORDS=2.035, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=ehWFHOfI; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=ehWFHOfI
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eXTsrbLk7uIq for <oauth@ietfa.amsl.com>; Thu, 10 Sep 2020 04:39:21 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30056.outbound.protection.outlook.com [40.107.3.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C37163A08DC for <oauth@ietf.org>; Thu, 10 Sep 2020 04:39:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3q0DVKaLT7E7if2qBms8yZwXwkQQQLX4YSCQT04OF3M=; b=ehWFHOfIi4ZslGuYLkIbCkKQo8WEI65qWqB+5CwxG+n60BpUzbi0YCDFLH0Mmg76wrjZBaXsCsZELP9cE5KBeItQLMyLFppWXNNlyOp8nRb5EZBFvlQPUAFrTktHMmgqEGY0jO/NxYTIVTqoNaz1VvV+BSOJHg3NPlVqEAQNLtI=
Received: from DB6PR0802CA0039.eurprd08.prod.outlook.com (2603:10a6:4:a3::25) by VI1PR0802MB2142.eurprd08.prod.outlook.com (2603:10a6:800:9b::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.16; Thu, 10 Sep 2020 11:39:16 +0000
Received: from DB5EUR03FT004.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:a3:cafe::19) by DB6PR0802CA0039.outlook.office365.com (2603:10a6:4:a3::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.16 via Frontend Transport; Thu, 10 Sep 2020 11:39:16 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT004.mail.protection.outlook.com (10.152.20.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.16 via Frontend Transport; Thu, 10 Sep 2020 11:39:16 +0000
Received: ("Tessian outbound e8cdb8c6f386:v64"); Thu, 10 Sep 2020 11:39:16 +0000
X-CR-MTA-TID: 64aa7808
Received: from e232e104cf26.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 497C5307-5399-4691-B06D-3BE4CEBBD828.1; Thu, 10 Sep 2020 11:39:11 +0000
Received: from EUR02-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id e232e104cf26.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 10 Sep 2020 11:39:11 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IiV7EVo8A9jpF97diP3ycSAURJwf/kSCgWmwo9iXtpEIAuV45zigkeqxFWt8MhF/UFBLfUO8uW1Pc5w/zs+8WikSZXV0jqJYzsDv59Sx61QELxNko//qPFjqACUIVwb+BzHsucxpxG30A3F53oBOidtyreiHkXlBClYLYAlqcktXqwkMONdGdYaFAuS0gxScSsqZaTSvhQcofaUuFFCX+H3FiyOcshKwtJYs+K9QMxkeaAVCAo2LfeYwvzTOccwlFu8onvhxg8WIwx2cIzi1Gipv/TnbOeYcYTDktKmKcT7AJUuKlQE8WpBVkPR9hK3wqQxmJd/RGpQ+nUAmab24DQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3q0DVKaLT7E7if2qBms8yZwXwkQQQLX4YSCQT04OF3M=; b=Iek8pYUCD0F/SHRYbToG5riwlPCmB5R9xc1qtty3d9MoV17NLJqplE05eGPfM6a9XlyqCyjLcQE8YOgvGxOujavsDiegFAABmeL/62KOwZZO1I1AAeWioXiqWWGYzpezCpmVjMT17cwUd9iZ5fV7/azI7xG9H/zcnCW6qfGw5duXOjJqRMMsrysGbRfbDByZtyvsZfuSS9R2ZptsKfRFDY0aDtfDZ2mpm+LwarpV1tQC5jhuNg5RB0YOyAAM9OnUN+LVl4pDb3VKQYZH97XpDmmlgVgLTQ51CCGI+EpMaBIzx+YJQUu5X2mJJcfQxn3rGqOTy+bQiDKFW2LwyFhTNQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3q0DVKaLT7E7if2qBms8yZwXwkQQQLX4YSCQT04OF3M=; b=ehWFHOfIi4ZslGuYLkIbCkKQo8WEI65qWqB+5CwxG+n60BpUzbi0YCDFLH0Mmg76wrjZBaXsCsZELP9cE5KBeItQLMyLFppWXNNlyOp8nRb5EZBFvlQPUAFrTktHMmgqEGY0jO/NxYTIVTqoNaz1VvV+BSOJHg3NPlVqEAQNLtI=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB3332.eurprd08.prod.outlook.com (2603:10a6:208:5f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.16; Thu, 10 Sep 2020 11:39:09 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::2d73:b6c7:841c:78c8]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::2d73:b6c7:841c:78c8%6]) with mapi id 15.20.3370.016; Thu, 10 Sep 2020 11:39:08 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Denis <denis.ietf@free.fr>
CC: Dick Hardt <dick.hardt@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07
Thread-Index: AdaFqTZyItsUYvipQzq4nnXtxdB+SAAUT0MAAACTOQAAIhOWgAAsZSjgAAf1P4AAAi9owA==
Date: Thu, 10 Sep 2020 11:39:08 +0000
Message-ID: <AM0PR08MB3716B9F5C298A8F681358DD0FA270@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <AM0PR08MB371667F70B227C3EFA4C3ECAFA290@AM0PR08MB3716.eurprd08.prod.outlook.com> <ae739f88-58e6-40be-e759-3bf7b16715d2@free.fr> <CAD9ie-t4r5Uwzr7FOsedFSsGGMQ0H+9psMZ1LAr=ctB-L=LGNg@mail.gmail.com> <6abcccb8-42a5-60fe-a99b-16c3c154ff81@free.fr> <AM0PR08MB371612EB171DE3BB1166072BFA270@AM0PR08MB3716.eurprd08.prod.outlook.com> <1d877e88-07bb-779f-d252-440ca52a3a37@free.fr>
In-Reply-To: <1d877e88-07bb-779f-d252-440ca52a3a37@free.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: BB25EA99D919B645BC2EB9CC57285278.0
x-checkrecipientchecked: true
Authentication-Results-Original: free.fr; dkim=none (message not signed) header.d=none;free.fr; dmarc=none action=none header.from=arm.com;
x-originating-ip: [195.149.223.164]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: b839d537-c28e-46e6-d63f-08d8557e25e6
x-ms-traffictypediagnostic: AM0PR08MB3332:|VI1PR0802MB2142:
X-Microsoft-Antispam-PRVS: <VI1PR0802MB2142FA5B69568CA132ED085BFA270@VI1PR0802MB2142.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:2582;OLM:2582;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: R+EM7gmfPtGrfgJTcp1zrncHtqZ9x4dhgzzpDUcbvsOXdtYFDT9HW45sxciuC+UC3vqIxUQOYD23ab3XL03EM3onkTwt97T+akr5zqevzlieb+6nX0VFjH0WMuXiTsrmmJ3XEVor6uxUZJOm8iTrimXa9ZwYgwOSeHbADjoqZwDr/RMRuKgDeAeNVRjedQ32HumzIFeCKDxI/YnjykXGEaI0m4fmne8ycDzHFq+V1Y1BpgTs6ZYfX7QsZz19KQYpaO0xvEciR3ywNJjyDTa3RxDHk8l9G3IIf9S8yaflmgcDEpyoXtyzofO2I8QDmXNtNdvdROa4zkicyhvagQNEAF38TD3H4G1UuoIC0cmrIaDgw2Js2Hn7EMZam5RBKhT9qbHDriVE4tX1w2uYHixB01wdlwsH6mHruUtpouZrFOdnn/E6WlvW7Ij5wUo1HzgZDh6ccfR5w8D4Rd0PxuXeC33Fw+Qg8Pd0fgB8LL9+FbF/QXdZszQxTXo+rAG3DoLh
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(136003)(39860400002)(396003)(366004)(53546011)(66946007)(6506007)(8936002)(52536014)(316002)(966005)(6916009)(478600001)(71200400001)(186003)(66476007)(64756008)(4326008)(55016002)(66556008)(30864003)(66446008)(33656002)(83380400001)(54906003)(8676002)(7696005)(5660300002)(9686003)(86362001)(76116006)(9326002)(2906002)(166002)(26005)(76236003)(99710200001)(15866825006)(579004)(559001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: mrvqTQmIeR8BW4KvEHG5MSYWiHM5godUrbx2uQRI2A+BvfEWln/XDVjm8wHpLUnRH5J78e/M67wLANk4vYq68435FO5Ux+KL/lR+oLofDj+8CYLKSVx3K63g1ME9WY/XeX68dw/ovtK7xLqGSlmGuTtQIngAEfX8oGyWIdYdu2ZWR+PHvuMIyjMeRUTiskbKaGozrNQMfi6GUVbbJQU344/v5M57DJCGfvQEgAqEl4PF5X+QuT0vg9oXxT+jVcHMFYm424J9mhj/v0rsYL5DpMMFqvMnysO1h7W2qOH8KD8ZTqTkwoOa85VYoz4PBfWohZu/55zBz4qnAf+1NY/o35jdG8wGOj6XehErBkceIiSySP9Q54TTys4uZtpyxnjwoiir7+cHPPcjVZQUuCy5CjC0uuhLoTT1Ez6JmQ6f1HtEKQemvni7xGzQ4/63NUKkJaUbcZUMzA7UjfPO1kSmXvlR66QUne2SqieCySdeT+MOIE3SQCWaOld9bS7eMs6aSFSL3m6jLyJFcg47aDg2eyFZg6UdviOzgo9hHZUdc7/Jvit05+V7BX2EKIyB8CG7BT4agoHWi65HOO+2cVzhJ4o5WSyd9oSlAdm2suXFHLzI5cog/kNpMzFc8m326dV0+r24Ro1a/u5HGHWNchoj+Q==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR08MB3716B9F5C298A8F681358DD0FA270AM0PR08MB3716eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3332
Original-Authentication-Results: free.fr; dkim=none (message not signed) header.d=none;free.fr; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT004.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 79f27ae7-f01a-49f5-043d-08d8557e218b
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: k/IJ1l2XKf4bZIRrw+vbQjRoodjLuy+iHFuUn3R03/r4Lyu4Ta+GEJ4rIv7sfNpX4FXjFbeZAeqnpFqvuJo2Ib1wPsWxIVRuDRIjDjjyWAzCbxVLy4GrZC10PXQlRhVgnFGdGLQGCNx3u3HbNc1C/y9WtRZcaBWO+HV0X2MZqlytb4WZE0SDcXrj50fT9nqiMyFzFJuqEHh7yCrylRAou6LPQyXL/UhlclLHbd0Nl48fY3v4BpERgx9wIsrtAeONOIqB0nPpFjVxwgf50fEsbL8dLc+4mkADRHucfTii8vXEEn3ys0+HoAS/renU2aDKftZ7m8KAJKyYIw5uKva9nIq96h0Q9yStMFqmcGa1kWv+MsQnXctdJXiGl7Nf/Ofg61t5iYz4dAbidvPQZQWdRSyV3wfLAb58RN5F9RV3pMSi28TOOGS/xsD8LAVh/KfoIkLAv69aJBRAVbW/QJ27cYq+IomFORVBz5Udu2LoSDMYYVsg0LOqi0qLGJ+253eM91fQpJqmODDIcq4knhTZHHd/0rmIKnUrHt3QfIdLQfA=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(376002)(136003)(396003)(39860400002)(346002)(46966005)(52536014)(81166007)(6506007)(53546011)(356005)(7696005)(4326008)(8676002)(33964004)(966005)(55016002)(82740400003)(336012)(9686003)(82310400003)(26005)(478600001)(33656002)(186003)(30864003)(54906003)(83380400001)(5660300002)(316002)(76236003)(2906002)(6862004)(70206006)(166002)(8936002)(9326002)(86362001)(47076004)(70586007)(99710200001)(15866825006)(579004)(559001); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Sep 2020 11:39:16.2960 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b839d537-c28e-46e6-d63f-08d8557e25e6
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT004.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0802MB2142
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Czn2tNLPC42PzjgZS1Xt5PiYWE8>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 11:39:26 -0000

Hi Denis,

Thanks for the clarifications regarding the uniqueness properties of the values that go into the subject claim.

Looking at draft-ietf-oauth-access-token-jwt-07 I don’t see where the draft introduces these two new flavors.

Additional comments below:


From: Denis <denis.ietf@free.fr>
Sent: Thursday, September 10, 2020 11:41 AM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: Dick Hardt <dick.hardt@gmail.com>; oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Hi Hannes,

Thank you for responses. See below.

Hi Denis,

Hi Dick and Hannes,

1)  While reading RFC 7519, no reader may be able to figure out that there are more than two flavours of the "sub" claim.
     This draft is introducing two new other favours of the semantics of the "sub" claim which are not present in RFC 7519.
     When an element has been defined, its semantics cannot be changed ... unless making an Errata to RFC 7519
     which would be a clean way to proceed.


[Hannes] What do you mean by “flavours” of the subject claim?

[Denis] RFC 7519 states: The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.

This makes two flavours: either locally unique in the context of the issuer or globally unique.

When reading the current text, in addition to these two flavours, two additional flavours (3) and (4) are discovered
which makes a total of four flavours:

  1.  locally unique in the context of the issuer (i.e. the same for all RSs),
  2.  globally unique (i.e. the same not only for all the RSs but also for servers that have nothing to do with OAuth),
  3.  unique for an AS/RS pair, and
  4.  unique for every access token.


2) The argument about "changing the token format at any time" does not apply in the context of this future RFC.
    This sentence should be either removed or modified  This means that the following sentence which is a derivative
    of this sentence should also be either removed or modified:
Hence, any logic in the client relying on the ability to read the access token content would break without recourse.


[Hannes] The OAuth 2.0 architecture allows the authorization server and the resource server to agree on whatever token format they want.
They can pass the information by value or by reference (which may then require token introspection or an equivalent mechanism).
This document does not change anything concern this.

Imagine a third party implementing an OAuth 2.0 Client. If they make assumptions about the ability to parse the content of the token, we create a brittle system.

For this reason, the sentence "changing the token format at any time" is correct.

I hope this makes sense.

[Denis] I do not dispute the sentence you proposed "The OAuth 2.0 framework assumes that access tokens are treated opaque by clients"
which replaces the previous sentence which was: "The client MUST NOT inspect the content of the access token".

The two sentences prior to it are:

Authorization server and the resource server might decide to change token format at any time (for example by switching from this profile to opaque tokens).
Hence, any logic in the client relying on the ability to read the access token content would break without recourse.

Once having read your last three responses, I would propose the following small change in the second sentence:

Authorization server and the resource server might decide to change token format at any time (for example by switching from this profile to opaque tokens).
Hence, any logic in the client relying on the ability to read the access token content at an instant of time might break later on without recourse.

You may have noticed that I proposed to change the RFC 2119 language in the text. I changed my original proposal to make it more clear (see red text).

"
   Authorization server and the resource server
   might decide to change token format at any time (for example by
   switching from this profile to opaque tokens). Hence, any logic in the
   client software relying on the ability to read the access token content may
   break since the OAuth 2.0 framework assumes that access tokens
   are treated opaque by clients.

   Administrators of authorization servers should also take into account that
   the content of an access token is visible to the client. Whenever client
   access to the access token content presents privacy issues for a
   given scenario, the authorization server should take explicit steps
   to prevent it.
"



3) The following questions have still not been answered:
Some questions raised during the WGLC have not been answered: How can a client request an access token compliant to this profile ?

[Hannes] The client cannot request the authorization server to use a specific token format. Since the client is not going to look at the access token content why would it even care.

[Denis] While reading all of your three last responses, I now understand the point.

Which parameter(s) allow it to ask an access token compliant to this profile ?

[Hannes] There no parameters defined so that the client can ask for an access token format that is compliant to this profile.
OK.

How can the AS know that it got a call for the issuance of an access token compliant to this profile ?

[Hannes] The AS only gets a request for an access token and the AS needs to decide what format to use, like it did in the past. Nothing changed.

Your response does help to understand. Section 3 is stating:

   An authorization server can issue a JWT access token in response to any authorization grant defined by [RFC6749] and
   subsequent extensions meant to result in an access token.

I believe, it would be worthwhile to add a sentence, just after this sentence, with the following text:

   When an authorization server decides to issue a JWT access token compliant to this profile, then the following requirements apply.
   (...)

[Hannes] That’s fine for me because this is what the intended effect of the spec is.



Ciao

Hannes


Denis


Ciao
Hannes


Denis



Denis


The objective of this document is to standardize the token the AS shares with the RS. It is not to standardize how the client can read the token. Just because the user is using the client, that does not mean the user wants the client to see any claims about themselves. Letting the client see the contents of the token may be a privacy violation.

client != user
ᐧ

On Tue, Sep 8, 2020 at 9:10 AM Denis <denis.ietf@free.fr<mailto:denis.ietf@free.fr>> wrote:
Hi Hannes,

Two comments between the lines.

Hi Victorio, Hi all,

I am doing my shepherd write-up for draft-ietf-oauth-access-token-jwt-07. Reading through the draft I have a few minor suggestions:

Section 2:

I would delete this sentence "JWT access tokens are regular JWTs complying with the requirements described in this section."

Reason: You pretty much make the same statement on the previous page (see terminology section).

Section 2.1

s/asymmetric algorithms/asymmetric cryptography
(same replacement in Section 4)

s/   This specification registers the "application/at+jwt" media type,
   which can be used to indicate that the content is an access token./This specification registers the "application/at+jwt" media type,
   which can be used to indicate that the content is a JWT access token.

Use capitalized "Section" when a section number is indicated, such as in Section 2.2.

Section 2.2

s/""aud"/"aud"

2.2.1

s/   auth_time  OPTIONAL - as defined in section 2 of [OpenID.Core]./   auth_time  OPTIONAL - as defined in Section 2 of [OpenID.Core].
s/   acr, amr  OPTIONAL - as defined in section 2 of [OpenID.Core]./   acr, amr  OPTIONAL - as defined in Section 2 of [OpenID.Core].


s/Please see/See

s/For example:/For example,

Section 4

You write:

"Authorization servers SHOULD implement OAuth 2.0 Authorization Server Metadata [RFC8414] ... "

Are you sure you mean "implement" and not "use"? The paragraph gives me the impression that you talk about "ASs using RFC 8414"


s/Please see section Section 5 for further guidance on security implications./Please see Section 5 for further guidance on security implications.

This sentence sounds strange to me:
"
   When invoked as described in OAuth 2.0 Bearer Token Usage [RFC6750],
   resource servers receiving a JWT access token MUST validate it in the
   following manner.
"

How about:
"
   Resource servers receiving a JWT access token MUST validate it in the
   following manner.
"

Question: If you refer to RFC 6750 and then list the steps are you just repeating the steps from RFC 6750 or are you augmenting them?


You write:

"
If the JWT access token includes authorization claims as described in
   the authorization claims section, the resource server SHOULD use them
   in combination with any other contextual information available to
   determine whether the current call should be authorized or rejected.
"

Include a reference to the authorization claims section


s/ For more
   details on cross-JWT confusion please refer to 2.8 of [RFC8725]./ For more
   details on cross-JWT confusion please refer to Section 2.8 of [RFC8725].


You write:

"
   Authorization servers should not rely on the use of different keys
   for signing OpenID Connect ID Tokens and JWT tokens as a method to
   safeguard against the consequences of leaking specific keys.
"

The phrase "leaking keys" is probably not the best term to describe what follows afterwards in the text.

You write:

"
The client MUST NOT inspect the content of
   the access token
"

This RFC 2119 language is not really enforceable in terms of interoperability. Maybe you could rephrase a bit. Something like the following would work:

"
   Authorization server and the resource server
   might decide to change token format at any time (for example by
   switching from this profile to opaque tokens). Hence, any logic in the
   client relying on the ability to read the access token content would
   break without recourse. The OAuth 2.0 framework assumes that access tokens
   are treated opaque by clients.

   Administrators of authorization servers should also take into account that
   the content of an access token is visible to the client. Whenever client
   access to the access token content presents privacy issues for a
   given scenario, the authorization server should take explicit steps
   to prevent it.
"


In the general case, the OAuth 2.0 framework assumes that access tokens are treated as opaque by clients.
However, with this coming RFC, we are not in the general case: since the client gets back an access token conformant to this RFC, then it knows
exactly its detailed structure. The argument about "changing the token format at any time" does not apply. In this case, the client is quite sure
that it would be able to understand most of its content (at least all the standard claims). The above text proposal would need to be reconsidered.

Hiding (by encrypting it) the content of the access token to the client is odd when an access token contains claims about a human-user :
these claims are personal data and the human-user is usually allowed to have access to his own personal data.

Encryption is nice in theory but complicated in practice, since a key management system must put in place. Whenever possible, it should be avoided.

BTW, some questions raised during the WGLC have not been answered: How can a client request an access token compliant to this profile ?
Which parameter(s) allow it to ask an access token compliant to this profile ? How can the AS know that it got a call for the issuance of an access token
compliant to this profile ?

Another comment follows.
You wrote:

"

   In scenarios in which JWT access tokens are accessible to the end
   user, it should be evaluated whether the information can be accessed
   without privacy violations (for example, if an end user would simply
   access his or her own personal information) or if steps must be taken
   to enforce confidentiality.  Possible measures include: encrypting
   the access token, encrypting the sensitive claims, omitting the
   sensitive claims or not using this profile, falling back on opaque
   access tokens.
"

The first sentence is a repetition of the previous paragraph. I would suggest to delete
the first sentence in this paragraph and to move the second sentence to the previous paragraph.

You wrote:

"
   This profile mandates the presence of the "sub" claim in every JWT
   access token, making it possible for resource servers to rely on that
   information for performing tasks such as correlating incoming
   requests with data stored locally for the authenticated principal.
   Although the ability to correlate requests might be required by
   design in many scenarios, there are scenarios where the authorization
   server might want to prevent correlation to preserve the desired
   level of privacy.  Authorization servers should choose how to assign
   "sub" values according to the level of privacy required by each
   situation.  For instance: if a solution requires preventing tracking
   principal activities across multiple resource servers, the
   authorization server should ensure that JWT access tokens meant for
   different resource servers have distinct "sub" values tht cannot be
   correlated in the event of resource servers collusion.  Similarly: if
   a solution requires preventing a resource server from correlating the
   principal's activity within the resource itself, the authorization
   server should assign different "sub" values for every JWT access
   token issued.  In turn, the client should obtain a new JWT access
   token for every call to the resource server, to ensure that the
   resource server receives different "sub" and "jti" values at every
   call, thus preventing correlation between distinct requests.
"

The above paragraph suggests that there are different levels of privacy. What you are
talking about in the text is unlinkability and identification. Ways to deal with such
privacy threats are described in Section 6 of RFC 6973.

Hence, I would suggest to slightly rephrase the paragraph to something like:

"
   This profile mandates the presence of the "sub" claim in every JWT
   access token, making it possible for resource servers to rely on that
   information for correlating incoming
   requests with data stored locally for the authenticated principal.
   Although the ability to correlate requests might be required by
   design in many scenarios, there are scenarios where the authorization
   server might want to prevent correlation. The "sub" claim should be
   populated by the authorization servers according to a privacy impact
   assessment. For instance, if a solution requires preventing tracking
   principal activities across multiple resource servers, the
   authorization server should ensure that JWT access tokens meant for
   different resource servers have distinct "sub" values that cannot be
   correlated in the event of resource servers collusion.

While the idea is really nice, the use of the "sub" claim in this context is not compatible with the definition of the "sub" claim
as defined in RFC 7519:

     4.1.2.  "sub" (Subject) Claim

        The "sub" (subject) claim identifies the principal that is the
        subject of the JWT.  The claims in a JWT are normally statements
        about the subject.  The subject value MUST either be scoped to be
        locally unique in the context of the issuer or be globally unique.
        The processing of this claim is generally application specific.  The
        "sub" value is a case-sensitive string containing a StringOrURI
        value.  Use of this claim is OPTIONAL.

There are two options and two options only:

"locally unique in the context of the issuer" means that it is the same for all RSs.
"globally unique" means that it is the same not only for all the RSs but also for servers that have nothing to do with OAuth (e.g. an email address).



    Similarly, if
   a solution requires preventing a resource server from correlating the
   principal's activity within the resource itself, the authorization
   server should assign different "sub" values for every JWT access
   token issued.  In turn, the client should obtain a new JWT access
   token for every call to the resource server, to ensure that the
   resource server receives different "sub" and "jti" values at every
   call, thus preventing correlation between distinct requests.

The proposed text describes two different cases where the sub claim is either unique for an AS/RS pair or unique for each access token.

These two cases are not included in the definition found in RFC 7519.

In the general case, an identifier can be:

  1.  locally unique in the context of the issuer (i.e. the same for all RSs),
  2.  globally unique (i.e. the same not only for all the RSs but also for servers that have nothing to do with OAuth),
  3.  unique for an AS/RS pair, or
  4.  unique for each access token.

I see different ways to solve this problem:

1° Stick to the definition of RFC 7519 and (unfortunately) remove these possibilities.
2° Define two new claims which would support the two cases where the sub claim would be either unique for an AS/RS pair or unique for one access token.
3° Define four new claims which would support the four above cases.

Denis
"


Section 7.2

s/   Section Section 2.2.3.1 of this specification refers to the
   attributes "roles", "groups", "entitlements" defined in [RFC7643] to
   express authorization information in JWT access tokens.
/   Section 2.2.3.1 of this specification refers to the
   attributes "roles", "groups", "entitlements" defined in [RFC7643] to
   express authorization information in JWT access tokens.


References

RFC 7519 has to be a normative reference:

   [RFC7519]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
              (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
              <https://www.rfc-editor.org/info/rfc7519><https://www.rfc-editor.org/info/rfc7519>.

RFC 7644 is an unused reference:

   [RFC7644]  Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E.,
              and C. Mortimore, "System for Cross-domain Identity
              Management: Protocol", RFC 7644, DOI 10.17487/RFC7644,
              September 2015, <https://www.rfc-editor.org/info/rfc7644><https://www.rfc-editor.org/info/rfc7644>.

The same is true for RFC 3986:

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <https://www.rfc-editor.org/info/rfc3986><https://www.rfc-editor.org/info/rfc3986>.


Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.



IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email