IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

George Fletcher <gffletch@aol.com> Thu, 04 April 2019 14:14 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE702120678 for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 07:14:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K_jPP3j5Ld4i for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 07:14:04 -0700 (PDT)
Received: from sonic306-2.consmr.mail.bf2.yahoo.com (sonic306-2.consmr.mail.bf2.yahoo.com [74.6.132.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D58B1200EC for <oauth@ietf.org>; Thu, 4 Apr 2019 07:14:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1554387243; bh=3edl0LrvusMNk51tYWE9BF8Ad03bQNRHdZk9S/GEa5I=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=Ne551wHwOrg0O25862BH6uO+29+5RM2rW4DWUy6aEw+TO7lLtIbhbejOfp6NvmueMtCu8A8OtdOigab4TtxMJVMowBaB2GHuNkZF5nU3YOixCn4cwKa4HKB8KNlPsF8fhn1xxJFwaJv3PDgMw4LwCIt8fHos4JUtthToLtv8iiNB2WviNbiEtuUHZZS60v8STfhAPfSnT1IP3SnOChFraylxdwvS7M5GKRIoexAENMVcEPK61VW4nsCqFbX0ilWnHSLaVlAqvu2fa1FXlOR9WXLNH6ZOD3X7zB5uSrGiooamtMNnSvFxuKHln7FEGh05vrT0Sm3Uj0y7dQvkG4ez2Q==
X-YMail-OSG: MmJJkSQVM1ml1tpGCgwYTdAMucDqS1wUet7M8riJLSzlTPm16rbyH3ShEyrNoZs D8gGlvGupHTVrxsYWzs48wFyowkv2NZ_5s8KtG5qal9.XteU_8ilg78MQZMFxBuBON5O4isOGc0A 1foWHJq8siZJZ4l4obmu21WhHNRJYrA9e75KONweeWGE9K1NYeqV1y0GwgXf3JUUnn4ct7vPhgdw eA9eevidhzB2IowHrtqCo6lAOR2qrcFpNGVaDvCPAsjfsJfvUSs7aOeCIA_r4seXlcXLbV9JFS.r McTrQafPG3V64DsjxgGwbnHpedQGb0RDPDcerwBdJUyJCM5QjvACDDzzKQ6n6mx4Az8O3YsAq9lC 5WHmQ4wwFW09p66NUS7kbh7SLrsEwj5pyF4ZJdOWSaqo7sRe_Qa8X2JhrLiYYx0i5VTCTIotVVo_ w0wiFoB6RZxcFiXJweTZkDh1ZiSiKQ4jtlrVlxcnQImYyr7kD.uOjQ3u.XVUo_pA4c4D.CciIrkL yGCIvlOS1Bmj0nJmlpvsqcVgy1mn7PheX_W8dSWm0RlGv_VpD1VIj7vlKyRFI_V5iF3dppTL8._Y s2Ch_rHSJ.qJxivdkH_OT1Eu6UcojT4Bhni7mrD56AczaIpDVHunqP.m9KuBn_K35zan62ElFp1S WjAin_NJIhE_wbMwGrpv7dto.3iApsuoG7uHq67sJeMd4CleFEhl7oenXwcdISW9BBlQ_iADQ.8c eP9ilB6sjNWG1LComOCWCsjFAHECwhmR.TpE9khCeYnu4anFfIcWHcA094mSE1UQDkq4Ye.41IcD AcLgux9inzr7q758p6XWp8Su9hTqDS2NVJR8SnDFQSyidMXiA1rbYOsu.jIT5uFF5bYzfMEhh8AS Ff1Is0anP5l0jJysE_b.Zw4zHYlMjCCEqak7fURSZHJt_QwJsWk1xFuFzFcTUYt0nEdT.K2fKbHo OLtq8YtHqb88SFE05yKlDbhesczxwbTVzBRdRCOFTP4LT3Tf1VsBkPxC1SpJ3pzFEVRcRHerj4BJ ND2W1FDKPddwCHTVPt0Dy1QATwLffLPNnOj1xFViRT2fZXRLgIgL6oZoIWVktYS0Ox.LIF8C3QxF dvhnLMA9oZGphfAwltM5quhrExZ48gMKkb6X1
Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.bf2.yahoo.com with HTTP; Thu, 4 Apr 2019 14:14:03 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp418.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 1b9112a718319920336df2b50afbc6ad; Thu, 04 Apr 2019 14:14:01 +0000 (UTC)
To: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>, Brian Campbell <bcampbell@pingidentity.com>
Cc: David Waite <david@alkaline-solutions.com>, IETF oauth WG <oauth@ietf.org>
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <2a523e40-470b-4727-4e38-7a60552a285a@aol.com> <CB442B2B-4084-4C0D-8B4C-59C10423B387@alkaline-solutions.com> <CA+k3eCRS_Y1aXwX3U-q8uXRqd4hhot-s6nJ5d9qmbA9m0m9uUw@mail.gmail.com> <CAO_FVe73VZ2WsMVMhgCxCUPg3Wp1cbwRRkw=U_62KFrtAr34qw@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <d0f53cb5-bd4e-3716-d467-b4f405cf31ee@aol.com>
Date: Thu, 04 Apr 2019 10:14:00 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CAO_FVe73VZ2WsMVMhgCxCUPg3Wp1cbwRRkw=U_62KFrtAr34qw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------84029669242BA5F0633FA575"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2H5UhnfrFvenKV1Fb2KwB2BXnNo>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 14:14:09 -0000

Comments inline...

On 4/3/19 3:38 PM, Vittorio Bertocci wrote:
> Thanks guys for the comment, sorry for the delay in addressing them.
> I am not married to the claim types used in here, so if you think that 
> reusing the ones in the id_token can cause confusion we should expand 
> on the specific ways in which you think might go south.
I'm fine with re-using claims... we just need to make sure if we reuse a 
claim it keeps the same semantic.
> However I think it's important that the information on say, whether 
> the current token was obtained using MFA or a specific authentication 
> factor is something that API developers can legitimately latch to when 
> doing authorization decisions. From the perspective of a developer 
> modeling a solution, whether functionality is delivered as a route in 
> a postback based web app (hence receiving an id_token or derived) or 
> as an API consumed by a native app, the business requirement gating 
> access to that functionality doesn't change. If the admin managing 
> that resource establishes that access should be performed only via 
> MFA, the developer should be equipped to enforce that regardless of 
> the stack used to expose functionality (web app, API).
> Although it is true that triggering the desired behavior might be 
> achieved by the resource setting and contract with the AS, along the 
> lines of what David said, it's actually not uncommon for those 
> policies to be assigned on the resource AFTER the current session was 
> established and/or the corresponding AT was obtained and cached. 
> Furthermore, the requirement might be more granular than an AS policy 
> can tolerate (an API might requires MFA only for certain routes, hence 
> hard to express in a static policy) and triggered in form of 
> challenges. So the situation in which you have an AT with the right 
> issuer, audience, etc but was obtained with a policy now 
> obsolete/unacceptable to the RP is strong. Requesting to support 
> revocation just for this seems overkill, especially given that the 
> scenario in which the same logical app is exposed as both web app and 
> native client+API, the code consuming those claims is already in 
> place. It just makes intuitive sense for developers.
> In summary, one can take steps to push as much of the MFA requirements 
> to the AS settings for a particular request, but ultimately the desire 
> of the API developer to enforce that it actually happened is a 
> requirement I encountered often in practice. Anything providing extra 
> context to refine decisions about it (like auth_time, which might 
> inform decisions about whether to accept an MFA check occurred N 
> minutes ago or refuse access).
As an aside, I worry about trying to put all information needed to make 
a dynamic policy decision into an access token. For cases where the 
policy can change over time including the lifetime of the access_token 
then I prefer the User Managed Access (UMA) approach as it inherently 
allows for dynamic policy change.
>
> I thought that reusing the existing names for the same concepts just 
> made sense (dev existing skills, existing codebases, etc etc) and 
> especially in the case in which the values are exactly the same, and 
> the idea seemed to receive good support during OSW. But I am 
> completely open to change it of course, especially for cases like the 
> one identified by George.
> WDYT?
>
> On Wed, Apr 3, 2019 at 10:24 AM Brian Campbell 
> <bcampbell=40pingidentity.com@dmarc.ietf.org 
> <mailto:40pingidentity.com@dmarc.ietf.org>> wrote:
>
>     +1 to David's question here. I'd like to see justifying use cases
>     (beyond just the fact that some people are already doing it) for
>     auth_time, acr, and amr to be available in OAuth JWT access
>     tokens. Those claims are defined for, and in the context of, an ID
>     Token and I fear that codifying their use in an access token will
>     lead to misuse and/or confusion.
>
>     On Mon, Apr 1, 2019 at 1:03 PM David Waite
>     <david@alkaline-solutions.com
>     <mailto:david@alkaline-solutions.com>> wrote:
>
>         Do we know if there is a justifying use case for auth_time,
>         acr, and amr to be available in OAuth JWT access tokens? These
>         are meant to be messages about the client, either directly (in
>         the case of client credentials) or about its delegated
>         authorization of the user.
>
>         Embedding attributes about the user (such as group membership
>         and roles) can be used for the resource to make finer-grained
>         decisions than scopes, but normally I would expect say acr
>         limitations enforced by a resource to instead be controlled by
>         the AS requiring a higher quality authentication to release
>         certain scopes.
>
>         Thats of course not to say extensions to OAuth such as OIDC
>         can’t provide these values, just that they might better be
>         defined by those extensions.
>
>         -DW
>
>>         On Apr 1, 2019, at 9:12 AM, George Fletcher
>>         <gffletch=40aol.com@dmarc.ietf.org
>>         <mailto:gffletch=40aol.com@dmarc.ietf.org>> wrote:
>>
>>         Thanks for writing this up. One comment on auth_time...
>>
>>             auth_time  OPTIONAL - as defined in section 2 of [OpenID.Core  <https://tools.ietf.org/html/draft-bertocci-oauth-access-token-jwt-00#ref-OpenID.Core>].
>>                Important: as this claim represents the time at which the end user
>>                authenticated, its value will remain the same for all the JWT
>>                access tokens issued within that session.  For example: all the
>>                JWT access tokens obtained with a given refresh token will all
>>                have the same value of auth_time, corresponding to the instant in
>>                which the user first authenticated to obtain the refresh token.
>>
>>         During a current session a user can be challenged for
>>         additional credentials or required to re-authenticate due to
>>         a number of different reasons. For example, OIDC prompt=login
>>         or max_age=NNN. In this context, I'd assume that the
>>         auth_time value should be updated to the latest time at which
>>         the user authenticated.
>>
>>         If we need a timestamp for when the "session" started, then
>>         there could be a session_start_time claim.
>>
>>         Thanks,
>>         George
>>
>>         On 3/24/19 7:29 PM, Vittorio Bertocci wrote:
>>>         Dear all,
>>>         I just submitted a draft describing a JWT profile for OAuth
>>>         2.0 access tokens. You can find it in
>>>         https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/.
>>>         I have a slot to discuss this tomorrow at IETF 104 (I'll be
>>>         presenting remotely). I look forward for your comments!
>>>
>>>         Here's just a bit of backstory, in case you are interested
>>>         in how this doc came to be. The trajectory it followed is
>>>         somewhat unusual.
>>>
>>>           * Despite OAuth2 not requiring any specific format for
>>>             ATs, through the years I have come across multiple
>>>             proprietary solution using JWT for their access token.
>>>             The intent and scenarios addressed by those solutions
>>>             are mostly the same across vendors, but the syntax and
>>>             interpretations in the implementations are different
>>>             enough to prevent developers from reusing code and
>>>             skills when moving from product to product.
>>>           * I asked several individuals from key products and
>>>             services to share with me concrete examples of their JWT
>>>             access tokens (THANK YOU Dominick Baier
>>>             (IdentityServer), Brian Campbell (PingIdentity), Daniel
>>>             Dobalian (Microsoft), Karl Guinness (Okta) for the
>>>             tokens and explanations!).
>>>             I studied and compared all those instances, identifying
>>>             commonalities and differences.
>>>           * I put together a presentation summarizing my findings
>>>             and suggesting a rough interoperable profile (slides:
>>>             https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx
>>>             <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx>
>>>             ) - got early feedback from Filip Skokan on it. Thx Filip!
>>>           * The presentation was followed up by 1.5 hours of
>>>             unconference discussion, which was incredibly valuable
>>>             to get tight-loop feedback and incorporate new ideas.
>>>             John Bradley, Brian Campbell Vladimir Dzhuvinov, Torsten
>>>             Lodderstedt, Nat Sakimura, Hannes Tschofenig were all
>>>             there and contributed generously to the discussion.
>>>             Thank you!!!
>>>             Note: if you were at OSW2019, participated in the
>>>             discussion and didn't get credited in the draft, my
>>>             apologies: please send me a note and I'll make things
>>>             right at the next update.
>>>           * On my flight back I did my best to incorporate all the
>>>             ideas and feedback in a draft, which will be discussed
>>>             at IETF104 tomorrow. Rifaat, Hannes and above all Brian
>>>             were all super helpful in negotiating the mysterious
>>>             syntax of the RFC format and submission process.
>>>
>>>         I was blown away by the availability, involvement and
>>>         willingness to invest time to get things right that everyone
>>>         demonstrated in the process. This is an amazing community.
>>>         V.
>>>
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>
>         _______________________________________________
>         OAuth mailing list
>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>         https://www.ietf.org/mailman/listinfo/oauth
>
>
>     /CONFIDENTIALITY NOTICE: This email may contain confidential and
>     privileged material for the sole use of the intended recipient(s).
>     Any review, use, distribution or disclosure by others is strictly
>     prohibited...  If you have received this communication in error,
>     please notify the sender immediately by e-mail and delete the
>     message and any file attachments from your computer. Thank
>     you./_______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email