IETF Logo Mail Archive

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

Aaron Parecki <aaron@parecki.com> Mon, 13 April 2020 17:15 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C47293A1BB4 for <oauth@ietfa.amsl.com>; Mon, 13 Apr 2020 10:15:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z2xkpeuMLkqJ for <oauth@ietfa.amsl.com>; Mon, 13 Apr 2020 10:15:54 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A90513A1B98 for <oauth@ietf.org>; Mon, 13 Apr 2020 10:15:53 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id n10so10125659iom.3 for <oauth@ietf.org>; Mon, 13 Apr 2020 10:15:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=03aIuWJAdho2DmesuEVJF/BScjcYpR66efgEGq2JRps=; b=V46W8mSQHW5E2IEUY+rEylsPaHUC4q4MEN4JojZIyx2BrmpqOXoSTnUUhqM4eP9AN/ 9eLDhy4WBONMYElQ4/YrlJvAunBgx3QRxVqvNP+F55E8JqGdUYvyN22KXBnkYbHZA+eN 1AypXzezcz+4rtYGhr6C2QyWe/qryUuyIV4XNzTTBVSczgIQM9iXCvi/CAosp/M0oT5i AG/Rd1npRmtwxTDm/8I8LMqu9VjOd9FFWCYQeO1z+IOkwntAzBHj2qrLf/nPPtp6LmGX rNQ7/zfPebFREaSZdaQIRQvkMI35AsbmNz4EVyPsyn+wLqRE+wWZVTNPQ2tmHGNnMIXJ vB/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=03aIuWJAdho2DmesuEVJF/BScjcYpR66efgEGq2JRps=; b=AmInoSIbbduksQXlDT5l21Qy9y5TL3aBGyi1bTL7bVHY5sfB8OTCsNanUN7UhzLuHq JI5FJHx0+RYDJTfGowMoLbI0VPQBVB9+IPXhmrVFZ6qAH/FTTpAghCshU6wg2+lNB5n2 AOB8vxOpDzpC7II3Y0QwPH+0noiBOKt27YqfDbyUwUMwp6sFSNAfWp9S9fMO4PK+O0OU JlyupBvLdGaTYqdYGe3P+2xfy3Q2luE53ghfJfL7+2EE/a4psUB9c+ETrMXpCF3NsK7+ c99JxR5M5UbYNXZrWHkbvJoOWHryF7mcHlx7tTx8xKq2sgNHexMrvvzmT3ZxOmkuzGHF L6AQ==
X-Gm-Message-State: AGi0PubrizfiyfPRLNpNkTEM1BTklNWuZ7UkWQQHag7ShM5busR2nL/z Ye/Nv+KOkvrFElYq+079Vx0e/n9EfNI=
X-Google-Smtp-Source: APiQypKVJi9+QmFefv6FMOsh9GQKqgvzJ8lLvlD2NbrJpYnFlg9Kk6sBLRgXdb2zDcNFh4uhylaDcw==
X-Received: by 2002:a02:3e14:: with SMTP id s20mr11189950jas.131.1586798152048; Mon, 13 Apr 2020 10:15:52 -0700 (PDT)
Received: from mail-il1-f175.google.com (mail-il1-f175.google.com. [209.85.166.175]) by smtp.gmail.com with ESMTPSA id b15sm2486331ilc.28.2020.04.13.10.15.50 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 13 Apr 2020 10:15:51 -0700 (PDT)
Received: by mail-il1-f175.google.com with SMTP id o11so9177496ilq.7 for <oauth@ietf.org>; Mon, 13 Apr 2020 10:15:50 -0700 (PDT)
X-Received: by 2002:a92:d083:: with SMTP id h3mr18157620ilh.28.1586798150605; Mon, 13 Apr 2020 10:15:50 -0700 (PDT)
MIME-Version: 1.0
References: <158628195716.9275.10690808358259357603@ietfa.amsl.com> <CAGL6epJ6W6AKptXw72cw2eaO+582_iYhKSK5h6BGBWeDJW9zNg@mail.gmail.com> <CAGL6epJc4CGDy9DwL3-BJh6MrELY3C-RUmcH716WN4k3Un11FA@mail.gmail.com> <361d7891-01be-8e22-7765-613e727b2bc1@free.fr> <CAD9ie-u4xaoRmNG3Sgj+cNWG4M8BzaM1YFF4Oy4Q2A6gdFWDhw@mail.gmail.com>
In-Reply-To: <CAD9ie-u4xaoRmNG3Sgj+cNWG4M8BzaM1YFF4Oy4Q2A6gdFWDhw@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 13 Apr 2020 10:15:39 -0700
X-Gmail-Original-Message-ID: <CAGBSGjpV=QNHPJfXXLcxHwYwHZrKXEQVjf3eJg+b8z=qpRAJcA@mail.gmail.com>
Message-ID: <CAGBSGjpV=QNHPJfXXLcxHwYwHZrKXEQVjf3eJg+b8z=qpRAJcA@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Denis <denis.ietf@free.fr>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000018e70d05a32f3c0d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6IlxfgjBQmCCde3H9Ap5JFDX2FA>
Subject: Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2020 17:16:03 -0000

This is a good point, I often use the hotel key analogy as well. The room
door is the RS, the key is the access token, the door does not need to know
who the user is in order to know if it’s okay to unlock given a particular
key.

If sub is required, then this profile is limited in use to cases where user
identifiers are part of the system, and there will be situations in which
it’s not appropriate to use this profile for access tokens. If that’s okay,
this should be clarified in the overview section to describe when this
profile should be used.

Aaron



On Mon, Apr 13, 2020 at 10:08 AM Dick Hardt <dick.hardt@gmail.com> wrote:

> Why does the "sub" need to be required?
>
> An access token is to prove authorization. The RS may not need "sub" to
> constrain fulfilling the client request.
>
> For example, it the access token has the same properties as a movie
> ticket, the RS does not need to have any identifier for who purchased the
> movie ticket.
>
> The privacy implication is the RS can correlate across API calls to know
> it is the same subject.
>
>
>
>
> On Mon, Apr 13, 2020 at 8:16 AM Denis <denis..ietf@free.fr
> <denis.ietf@free.fr>> wrote:
>
>> Hello,
>>
>> More on privacy about "JWT Profile for Access Tokens".
>>
>> The current document REQUIRES the claim names *sub* and *client_id*.
>>
>>    - sub  REQUIRED - as defined in section 4.1.2 of [RFC7519].
>>    - client_id  REQUIRED - as defined in section 4.3 of [RFC8693]
>>
>> *1) **sub  REQUIRED*
>>
>> RFC 7519 states:
>>
>> 4.1.2.  "sub" (Subject) Claim
>>    The "sub" (subject) claim identifies the principal that is the
>>    subject of the JWT.  The claims in a JWT are normally statements
>>    about the subject.  The subject value MUST either be scoped to
>>    *be locally unique in the context of the issuer or be globally unique*
>> .
>>    The processing of this claim is generally application specific.  The
>>    "sub" value is a case-sensitive string containing a StringOrURI
>>    value.  *Use of this claim is OPTIONAL.*
>>
>> If *sub *is *REQUIRED *for this profile, then this allows all resource
>> servers to link accesses made by the same client on different servers.
>>
>> *2) client_id  REQUIRED*
>>
>> RFC 8693 states:
>>
>> 4.3. "client_id" (Client Identifier) Claim
>> The client_id claim carries the client identifier of the OAuth 2.0 [RFC
>> 6749] client that requested the token.
>>
>> RFC 6749 states:
>>
>> 2.2.  Client Identifier
>>    The authorization server issues the registered client a client
>>    identifier -- a unique string representing the registration
>>    information provided by the client.  The client identifier is not a
>>    secret; it is exposed to the resource owner and MUST NOT be used
>>    alone for client authentication.  *The client identifier is unique to*
>> *   the authorization server.*
>>
>> If *client_id* is REQUIRED for this profile, this also allows all
>> resource servers to link accesses made by the same client on different
>> servers.
>>
>> *Both claim names should be OPTIONAL *to allow to support the privacy
>> principle of unlinkability.
>>
>> Would both names remain *REQUIRED*, the Privacy considerations section
>> should mention that such a linkage by different resource servers
>> will always be possible when using this profile.
>>
>> Denis
>>
>> I have uploaded the second presentation for today's session, the JWT
>> Profile for Access Tokens.
>> https://datatracker.ietf.org/meeting/interim-2020-oauth-04/session/oauth
>>
>> Regards,
>>  Rifaat
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 
----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>

v2.23.0 | Report a Bug | By Email