Re: [OAUTH-WG] [Openid-specs-ab] -00 of draft-bradley-stateless-oauth-client

John Bradley <> Sun, 03 November 2013 17:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0FAD821E80FA for <>; Sun, 3 Nov 2013 09:04:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KUR9lluLpnq5 for <>; Sun, 3 Nov 2013 09:04:09 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 6D9B211E815F for <>; Sun, 3 Nov 2013 09:04:09 -0800 (PST)
Received: by with SMTP id x10so5809325pdj.37 for <>; Sun, 03 Nov 2013 09:04:08 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=Ota6xYxIYjkY2lNiVbwmYyZK+QOc+WNI0pWljI/zuOI=; b=lO4H0Jce142cKyGOfh4BHN7vxqzngjFTitu0SC0vuKm0RZirKGHcTNTYk3TmyVu6Sv UCbekg+sfrQsJ54ECzTdNsji9BWbZOWKw3apLIwKLxFSXEBxnvtxnqRooPvDtv2C9Zph rM71pK461nVq2vgE4Ltw9nYVi/+SNkJPkpDu7gUOp7XFkskPH48/RKx+QOpzju42v1Q4 ambMSnHm6hA88Gx/WEHp6+FhOIQjBA2c+iqBWS5jKCensvQU6R6i0b/40HWimzqsHafX VQK3RjC6QXrhP61ORdXqkdsqQtZLC0l5iZR5YF+3Qn4egoWCWSZd2zpdY817A8/h0Ibs wWtQ==
X-Gm-Message-State: ALoCoQn/oCr0lwjqPM/5F+Gb2Kz2l3qaCnaotKHbG2ZV3ng4XzFRecuwyPSuprqKIHaWCSeMVDiJ
X-Received: by with SMTP id zk5mr13559755pbc.69.1383498247722; Sun, 03 Nov 2013 09:04:07 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id ye1sm27216371pab.19.2013. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 03 Nov 2013 09:04:06 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_F60D0755-CCE6-4196-B7CC-F9EC2BB585C2"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1816\))
From: John Bradley <>
In-Reply-To: <>
Date: Sun, 3 Nov 2013 09:04:01 -0800
Message-Id: <>
References: <>
To: Brian Campbell <>
X-Mailer: Apple Mail (2.1816)
Cc: "<>" <>, oauth <>
Subject: Re: [OAUTH-WG] [Openid-specs-ab] -00 of draft-bradley-stateless-oauth-client
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 03 Nov 2013 17:04:14 -0000

YEs in my other response to Hannes I noted that in the simple case of a one to one relationship between a AS and a registration server AES_CBC_HMAC_SHA2 is probably the best way to do integrity(must not say signing or the crypto wonks go nuts)  and confidentiality if a symetric secret is included in the JWT.

The need for confidentiality goes away if the client is using a asymmetric key to authenticate.

Separately I have been dealing with several OAuth clients (Websites) that have been compromised and lost all of there OAuth 1 tokens and secrets as well as all of there Oauth 2 tokens.
We can put it down to bad security, but having long lived access tokens and there secrets hanging around in databases is a tempting target.  
It is also challenging for a client to protect there symmetric client secret in these cases as it is typically in some file on the disk.

There may at some point be a push to use asymmetric keys from a HSM to secure access to the token endpoint and keep the lifetime of the access tokens short.

One thing that is a limitation of encoding information in the client_id is that we don't currently allow the client_id to change during updated in client registration.
If we did then the JWT could contain some fixed id for the client that the AS would use as the key for authorizations.

I was trying to stay inside the scope of the current drafts.    
Our options are to allow client_id to change  this requires only a change in dynamic registration, and not the rest of the client logic, or to crate a separate parameter for client_assertion that would contain the signed information including the client_id sending the client_id twice.

I think allowing the client_id to be reference or assertion  as determined by the AS is more in keeping with what we are doing with access tokens.  
I don't think that should require any change to clients,  though it would require change to server logic to treat the incoming client_id as a reference or assertion to the actual client identifier rather than always being a literal.

I think it is worth discussing.

John B.

On Nov 3, 2013, at 8:36 AM, Brian Campbell <> wrote:

> Some musings on
> Abstract: "... allowing for fully stateless operation." --> saying that the statelessness is on the AS side might avoid some confusion. The client is still going to have to maintain state. 
> The kid is header rather than a claim.
> "The issuer SHOULD sign the JWT with JWS ...  issuer MAY encrypt the JWT with JWE." --> this text seems a little off given that the most common case, I'd think, would be an AS who issues these client id JWTs only for its own consumption using JWE's AES_CBC_HMAC_SHA2 which gives encryption and integrity protection.
> Does the relationship between the "iat" and "exp" claims here and the "client_secret_expires_at" and "client_id_issued_at" parameters of dyn reg need to be explained or explored more? Strikes me as potentially problematic.
> And what happens when one of these JWT client ids expires or needs to be updated? Or the keys used to create or verify them expire? I know the answer thus far has been that the client will just have to get a new one. But I feel like that might be too limiting in practice. I'd like to further pursue understanding/defining how these kinds of client ids might be used in conjunction with a longer lived way to identify the client that allows the client id (i.e. the metadata) to change but can allow correlation across such changes (the sub claim in this doc even suggests that a client might have such an identifier).
> As was pointed out in another review, there's a difference between documenting how it's possible for an AS to issue "stateless" client ids for its own use and defining something that allows for some other party to issue such ids. It may make sense to discuss them in the same document but I believe it'd be valuable to have the doc acknowledge and address the difference more.
> _______________________________________________
> Openid-specs-ab mailing list