Re: [OAUTH-WG] Initial JSON Web Token Best Current Practices Draft

[Denis <denis.ietf@free.fr>]

Comments on draft-sheffer-oauth-jwt-bcp-00

1. Section 2 lists 7 known and possible threats and vulnerabilities with 
JWT implementations and deployments.
In the OAuth Threat Model Document (RFC 6819) collusions between users 
located inside of a system are not mentioned
but nevertheless need to be considered. One threat should be added in 
this document: Client collusions

Text proposal:

    2.8 Client collusions

    RFC 6819 (OAuth 2.0 Threat Model and Security Considerations) issued
    in January 2013 identifies security threats coming
    from hostile parties but does not mention threats coming from
    collaborating parties.

    JWTs are issued to a token requestor and are normally intended to be
    used by that token requestor. They are cases where
    the forwarding of a JWT to another party is a desirable property so
    that it can be used by that other party. This is typically the case
    when a JWT is intended to be used for delegation purposes.

    However, there are cases where a JWT does not contain a "sub" claim,
    but other claims that do not allow to identify the token requestor.
    This is typically the case when a JWT contains an attribute
    specifying that the token holder is over 18. In such a case, the
    forwarding of
    such a JWT to another party would not be a desirable property and
    should be detected by target servers.

    Access token binding protection methods currently developed either
    by the Token Binding WG [Token Binding WG] or by the OAuth WG [OAuth
    WG]
    do not allow to counter the forwarding of a JWT legitimately
    obtained by a party to another party. Either the legitimate party
    can provide keys
    to the other party, or if it can't (because private keys are
    protected by a secure element) it can send requests to his secure
    element to perform
    the cryptographic computations that the other party needs.

    Whatever kind of cryptographic is being used, when two parties are
    willing to collaborate, a software-only solution will be unable to
    prevent the transfer of an attribute of a party that possesses it to
    another party that does not possess it. The use of a secure element
    will be mandatory.

    However, the use of a secure element simply protecting the
    confidentiality and the integrity of some secret key or private key
    will be insufficient.
    Additional functional and security properties will be required for
    the secure elements.

    The documents related to OAuth 2.0 do not currently specify how to
    support secure elements so that the forwarding of a JWT legitimately
    obtained
    by a party to another party can be detected by the target server.
    Unless some extensions are being defined, the OAuth 2.0 framework
    will be unable
    to support JWTs containing attributes that do not allow to fully
    identify the token holder, typically a single attribute specifying
    that the token holder
    is over 18.


2. Section 3 lists some best practices. Section 3.8 is written as follows:

    3.8.  Use and Validate Audience
        If the same issuer can issue JWTs that are intended for use by more
        than one relying party or application, the JWT MUST contain an "aud"
        (audience) claim that can be used to determine whether the JWT is
        being used by an intended party or was substituted by an attacker at
        an unintended party.

JWTs may be used in a number of contexts, in particular when the 
resource owner and the target server are not collocated.

If the resource or the audience parameter is being used, the STS will 
have the ability to know exactly which individual or entity
has accessed which target service and may keep a log of that activity. 
It would thus be in a position to act as Big Brother.

Mandating implementations to have built-in Big Brother properties does 
not seem to be a "good practice".

However, there is indeed the need to restrict the use of JWTs to 
specific targets. The key point is that the target service must be able
to recognize itself that the token is indeed targeted to it. As an 
example, a challenge may be requested to the target service and
that challenge may then be placed into a specific filed of the JWT. The 
target service may then verify that the value included
in the JWT is the one that has been recently provided.

A parameter specifying the type of the control value and the value of 
the control would need to be used.
This parameter would be called a target_id (tid). It would solve the Big 
Brother case.

This parameter cannot be introduced in a BCP document, but this should 
be done in another document.

When the resource owner and the target server are not collocated and 
when privacy is a concern, the use of these parameters
should be deprecated and the use of a "tid" parameter should be 
recommended.

In any case, stating that "the JWT MUST contain an "aud" (audience) 
claim" is incorrect.

Denis

> JSON Web Tokens (JWTs) and the JSON Object Signing and Encryption 
> (JOSE) functions underlying them are now being widely used in diverse 
> sets of applications.  During IETF 98 in Chicago 
> <https://ietf.org/meeting/98/>, we discussed reports of people 
> implementing and using JOSE and JWTs insecurely, the causes of these 
> problems, and ways to address them.  Part of this discussion was an 
> invited JOSE/JWT Security Update 
> <https://www.ietf.org/proceedings/98/slides/slides-98-oauth-sessb-jwt-security-update-00.pdf> 
> presentation that I gave to two working groups, which included links 
> to problem reports and describes mitigations.  Citing the widespread 
> use of JWTs in new IETF applications, Security Area Director Kathleen 
> Moriarty suggested during these discussions that a Best Current 
> Practices (BCP) document be written for JSON Web Tokens (JWTs).
>
> I’m happy to report that Yaron Sheffer, Dick Hardt, and myself have 
> produced an initial draft of a JWT BCP.  Its abstract is:
>
> JSON Web Tokens, also known as JWTs [RFC7519 
> <https://tools.ietf.org/html/rfc7519>], are URL-safe JSON-based 
> security tokens that contain a set of claims that can be signed and/or 
> encrypted. JWTs are being widely used and deployed as a simple 
> security token format in numerous protocols and applications, both in 
> the area of digital identity, and in other application areas. The goal 
> of this Best Current Practices document is to provide actionable 
> guidance leading to secure implementation and deployment of JWTs.
>
> In Section 2, we describe threats and vulnerabilities.  In Section 3, 
> we describe best practices addressing those threats and 
> vulnerabilities.  We believe that the best practices in Sections 3.1 
> through 3.8 are ready to apply today.  Section 3.9 (Use Mutually 
> Exclusive Validation Rules for Different Kinds of JWTs) describes 
> several possible best practices on that topic to serve as a starting 
> point for a discussion on which of them we want to recommend under 
> what circumstances.
>
> We invite input from the OAuth Working Group and other interested 
> parties on what best practices for JSON Web Tokens and the JOSE 
> functions underlying them should be.  We look forward to hearing your 
> thoughts and working on this specification together.
>
> The specification is available at:
>
>   * https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-00
>
> An HTML-formatted version is also available at:
>
>   * http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-00.html
>
>                                          -- Mike
>
> P.S. This notice was also posted at http://self-issued.info/?p=1690 
> <http://self-issued.info/?p=1690> and as @selfissued 
> <https://twitter.com/selfissued>.
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth