IETF Logo Mail Archive

Re: [OAUTH-WG] RS as a client guidance

John Bradley <ve7jtb@ve7jtb.com> Thu, 20 August 2015 00:50 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AC8C1A8A97 for <oauth@ietfa.amsl.com>; Wed, 19 Aug 2015 17:50:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kSAViKtCDQ4V for <oauth@ietfa.amsl.com>; Wed, 19 Aug 2015 17:50:04 -0700 (PDT)
Received: from mail-qk0-f174.google.com (mail-qk0-f174.google.com [209.85.220.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05F1B1A8A98 for <oauth@ietf.org>; Wed, 19 Aug 2015 17:50:03 -0700 (PDT)
Received: by qkch123 with SMTP id h123so3209732qkc.0 for <oauth@ietf.org>; Wed, 19 Aug 2015 17:50:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=bhtmR0GqU667REs+AYFQBWm2P2sTniSAx3YUjZLuIbw=; b=ggbRQbw87tMcluwXZ3ig692ptvhQVeaBqCuu9LkVyDLo9t7tUnDYqewj5Qq0sjt/+S un3zFle0NpXwn/gVnNTIdHzMQSNFK1vuhn/XQ4bd36XSsKy5ZrBpXVyoR/EksAQYfxNq 8kut4un+JafE9Ud2FDShOt32kOSwa9nmbQHzC4c7ywSxCaLJx7q38QMjzxzY1TV4eYnB 8iugnckABApDCTE+j7XEVyseE+7sF2irz3jFOtAMVqTsemXBUhrKAsjL02msqtX5U0l4 GOFktJ2PDZMdzY2buj+LzN6dhbAv3oWJzECaw2sgkwrfa6aFGOonBfGwhQBX7usdrY8W 0YDQ==
X-Gm-Message-State: ALoCoQnaAon0qAS84HPIIlDV5t/Z6FKCXTo0/ao+d6EnB+PqVavey+0PrHO1dfwpemD870keAmE5
X-Received: by 10.55.49.67 with SMTP id x64mr700594qkx.24.1440031802998; Wed, 19 Aug 2015 17:50:02 -0700 (PDT)
Received: from [192.168.8.100] ([181.202.69.11]) by smtp.gmail.com with ESMTPSA id a50sm1376801qga.39.2015.08.19.17.50.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 19 Aug 2015 17:50:02 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_074A7763-FE77-41F7-9A11-220586A4D916"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <55D521DF.30306@mit.edu>
Date: Wed, 19 Aug 2015 21:49:55 -0300
Message-Id: <594C7BF1-3AD8-45C0-B08B-33166F268740@ve7jtb.com>
References: <CAOahYUzq1+=8UWUmu2ESpbFcLB1PJkBsNzPFAjrVOVCGRFjNvQ@mail.gmail.com> <CABzCy2CQo0rBF0X_bMV7JR=4HctzBJUv1T+4kwL-hBH=ARvd0Q@mail.gmail.com> <BY2PR03MB4423BA4B13A72CEAAEA5AC1F5670@BY2PR03MB442.namprd03.prod.outlook.com> <CABzCy2B0ffjYpZ5y5zy1_-zY4yyaNSUZeuWj1nvj0aCSZUOwtQ@mail.gmail.com> <19CF9674-3BE3-4910-B0AB-EC3E02D9607A@ve7jtb.com> <BY2PR03MB4428F2D1134837B21A592D9F5670@BY2PR03MB442.namprd03.prod.outlook.com> <CABzCy2C3eg9nK-8GOi_DvjcFpvN64Nwbm4GTwJsQH-3XP1w50Q@mail.gmail.com> <82F8B7FD-CB63-4367-B841-6433C50C3726@ve7jtb.com> <55D521DF.30306@mit.edu>
To: Justin Richer <jricher@mit.edu>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/4gUQeUQycGmJyYl7cmPn3Sng0dQ>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] RS as a client guidance
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2015 00:50:09 -0000

Ah yes,  Now I recall that we had Google change the claim once to azp and then discussed changing it again once we decided that azp was not the necessarily the presenter presenter.  That was what we decided was too cruel getting them to change the name again for something that they then had released in production.   That caused us to re-acrom “azp”.  

John B.

> On Aug 19, 2015, at 9:39 PM, Justin Richer <jricher@mit.edu> wrote:
> 
> Just want to clear up some history: "azp" did not come from any existing claims from Google or otherwise. I very clearly recall proposing that we name it "prn" for "presenter", and Mike told me not to be evil[1] because we had just changed "prn" (for "principal") in the ID token to "sub" in order to match the more generic JWT. John suggested "a-zed-p" in the same discussion. As such, it clearly was "authorized presenter" in the first take, then it got widened/shifted a little bit in the final definition for reasons I never quite followed (nor cared much about at the time).
> 
>  -- Justin
> 
> [1] Being told "don't be evil" by a Microsoft employee remains one of my proudest achievements.
> 
> On 8/19/2015 8:35 PM, John Bradley wrote:
>> It could, but I remain to be convinced that would be a good idea.   “azp” came from a existing Google claim, I am not attached to the name.
>> 
>> John B.
>>> On Aug 19, 2015, at 9:29 PM, Nat Sakimura < <mailto:sakimura@gmail.com>sakimura@gmail.com <mailto:sakimura@gmail.com>> wrote:
>>> 
>>> Well, the abstract meaning is the same, but the practical implications and interpretation can vary within the boundaries depending on the context. 
>>> 
>>> A jku is a URI of a cryptographical key, which can be a uri of a signing key or encryption key depending on the context. Similarly the azp in an ID Token and an Access Token can share the same abstract concept while the concrete meaning in that particular concept can vary. 
>>> 
>>> 2015年8月20日木曜日、Mike Jones<Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> さんは書きました:
>>> Let me second John’s point that we shouldn’t have two different definitions for “azp”.  As I wrote in my friendly review of draft-sakimura-oauth-rjwtprof-04 at  <http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html>http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html <http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html>, the claim “azp” has already been registered by OpenID Connect Core at http://www.iana.org/assignments/jwt/jwt.xhtml <http://www.iana.org/assignments/jwt/jwt.xhtml> and so cannot be re-registered.  Given that I believe the intended semantics are the same, please cite the existing definition in rjwtprof, rather than repeating it or revising it.
>>> 
>>>  
>>>                                                             Thanks,
>>> 
>>>                                                             -- Mike
>>> 
>>>  
>>> From: John Bradley [mailto: <javascript:_e(%7B%7D,'cvml','ve7jtb@ve7jtb.com');>ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>] 
>>> Sent: Wednesday, August 19, 2015 11:05 AM
>>> To: Nat Sakimura
>>> Cc: Mike Jones; OAuth WG
>>> Subject: Re: [OAUTH-WG] RS as a client guidance
>>> 
>>>  
>>> Having two azp claims with slightly different definitions is not a good way to go,  both access tokens and id_tokens are JWT.   
>>> 
>>> For better or worse the claim was defined for bearer tokens where it was only the identity of the requester that was able to be confirmed by the token endpoint.
>>> 
>>> It supported a simple use case where a refresh token is used by client A to use as an assertion at AS B.  
>>> 
>>> In the simplest 3 party sase the requester of the token and the presenter of the token are the same.  However in some situations they are not the same. 
>>> 
>>> The important thing was to allow the “aud” recipient of the token to be able to differentiate a token that it requested from a a token that a 3rd party requested and presented to it.
>>> 
>>>  
>>> The “azp” should probably be left as it is and not tied to proof of possession/ binding the token to the presenter.  
>>> 
>>> There was a lot of debate and back and forth on azp at the time, the main reason to include it was to warn normal Connect clients that JWT containing that azp claim need to have it’s value be them or someone they know and trust that can request assertions for them.  That was because we knew that token containing that claim exist in the wild using that claim.
>>> 
>>>  
>>>  <https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05>https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 <https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05> should probably be using a different claim to reduce the confusion.
>>> 
>>>  
>>> John B.
>>> 
>>>  
>>>  
>>> On Aug 19, 2015, at 3:17 AM, Nat Sakimura < <javascript:_e(%7B%7D,'cvml','sakimura@gmail.com');>sakimura@gmail.com <mailto:sakimura@gmail.com>> wrote:
>>> 
>>>  
>>> So, Mike, 
>>> 
>>>  
>>> Authorized Presenter is a defined term in Sender Constrained JWT for OAuth 2.0
>>> 
>>> (  <https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05>https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 <https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05> ). It is used in the context of OAuth 2.0 Access Token, not a claim in ID Token of OpenID Connect. 
>>> 
>>>  
>>> Nat
>>> 
>>>  
>>> 2015-08-19 11:44 GMT+09:00 Mike Jones < <javascript:_e(%7B%7D,'cvml','Michael.Jones@microsoft.com');>Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>:
>>> 
>>> Just as a point of clarification, the definition of the “azp” claim is not “authorised presenter”.  At least as defined by OpenID Connect, its definition is:
>>> 
>>>  
>>> azp
>>> 
>>> OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.
>>> 
>>>  
>>> A reference to this definition is registered by OpenID Connect Core http://openid.net/specs/openid-connect-core-1_0.html <http://openid.net/specs/openid-connect-core-1_0.html> in the IANA “ <>JSON Web Token Claims” registry athttp://www.iana.org/assignments/jwt/jwt.xhtml <http://www.iana.org/assignments/jwt/jwt.xhtml>.
>>> 
>>>  
>>>                                                             -- Mike
>>> 
>>>  
>>> From: OAuth [mailto: <javascript:_e(%7B%7D,'cvml','oauth-bounces@ietf.org');>oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>] On Behalf Of Nat Sakimura
>>> Sent: Tuesday, August 18, 2015 7:37 PM
>>> To: Adam Lewis
>>> Cc: OAuth WG
>>> Subject: Re: [OAUTH-WG] RS as a client guidance
>>> 
>>>  
>>> It is not directly, but Sender Constrained JWT for OAuth 2.0
>>> 
>>> (  <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-sakimura-oauth-rjwtprof-05&data=01%7c01%7cMichael.Jones%40microsoft.com%7cdac2bd4946594ba7f4ff08d2a83f23cf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DhL9%2bp5Ml32P6%2fdaAQHHkho1yCsbq2W0M4WNrwgo1zo%3d>https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 <https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05> )
>>> 
>>> talks about a model that allows it. 
>>> 
>>>  
>>> In essence, it uses a structured access token that is sender constrained. 
>>> 
>>> It as a claim "azp" which stands for authorised presenter. 
>>> 
>>> To be used, the "client" has to present a proof that it is indeed the party pointed by "azp". 
>>> 
>>>  
>>> In your case, the native mobile app obtains the structured access token 
>>> 
>>> with "azp":"the_RS". Since "azp" is not pointing to the mobile app, 
>>> 
>>> the mobile app cannot use it. 
>>> 
>>> The mobile app then ships it to the RS. 
>>> 
>>> The RS can now use it since the "azp" points to it. 
>>> 
>>>  
>>> In general, shipping a bearer token around is a bad idea. 
>>> 
>>> If you want to do that, I think you should do so with a sender constrained token. 
>>> 
>>>  
>>> Nat
>>> 
>>>  
>>>  
>>>  
>>> 2015-08-13 2:01 GMT+09:00 Adam Lewis < <javascript:_e(%7B%7D,'cvml','adam.lewis@motorolasolutions.com');>adam.lewis@motorolasolutions.com <mailto:adam.lewis@motorolasolutions.com>>:
>>> 
>>> Hi,
>>> 
>>>  
>>> Are there any drafts that discuss the notion of an RS acting as a client? I'm considering the use case whereby a native mobile app obtains an access token and sends it to the RS, and then the RS uses it to access the UserInfo endpoint on an OP.  
>>> 
>>>  
>>> It's a bearer token so no reason it wouldn't work, but obviously it is meant to be presented by the client and not the RS.  Curious to understand the security implications of this, read on any thoughts given to this, or to know if it's an otherwise accepted practice.
>>> 
>>>  
>>> tx
>>> 
>>> adam
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>>  <javascript:_e(%7B%7D,'cvml','OAuth@ietf.org');>OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>  <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7cMichael.Jones%40microsoft.com%7cdac2bd4946594ba7f4ff08d2a83f23cf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=eM%2f2nMY4YEca%2fyZtl6K4f4pRceNCHt1sF7v9ufZ7qgk%3d>https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> 
>>>  
>>> --
>>> 
>>> Nat Sakimura (=nat)
>>> 
>>> Chairman, OpenID Foundation
>>>  <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fnat.sakimura.org%2f&data=01%7c01%7cMichael.Jones%40microsoft.com%7cdac2bd4946594ba7f4ff08d2a83f23cf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=2x5%2f9bLJnUcMdOFrYWIk4G0BIwp8ytDK2LNx2BQuTtk%3d>http://nat.sakimura.org/ <http://nat.sakimura.org/>
>>> @_nat_en
>>> 
>>> 
>>> 
>>>  
>>> --
>>> 
>>> Nat Sakimura (=nat)
>>> 
>>> Chairman, OpenID Foundation
>>> http://nat.sakimura.org/ <http://nat.sakimura.org/>
>>> @_nat_en
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <javascript:_e(%7B%7D,'cvml','OAuth@ietf.org');>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>  
>>> 
>>> 
>>> -- 
>>> Nat Sakimura (=nat)
>>> Chairman, OpenID Foundation
>>> http://nat.sakimura.org/ <http://nat.sakimura.org/>
>>> @_nat_en
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>

v2.23.0 | Report a Bug | By Email