IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-03.txt

Brian Campbell <bcampbell@pingidentity.com> Wed, 18 December 2019 21:53 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0A74120236 for <oauth@ietfa.amsl.com>; Wed, 18 Dec 2019 13:53:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0x755QgA9jb for <oauth@ietfa.amsl.com>; Wed, 18 Dec 2019 13:53:44 -0800 (PST)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6458120089 for <oauth@ietf.org>; Wed, 18 Dec 2019 13:53:43 -0800 (PST)
Received: by mail-lj1-x232.google.com with SMTP id h23so3838219ljc.8 for <oauth@ietf.org>; Wed, 18 Dec 2019 13:53:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BUEIYSm5zLkHzLPGPUsE5IgnAAMnNeJwkEcmZszj8ms=; b=ez4+MDhdVdnLkcnVKG2KInx6mug0kxTeYbyK7WnKmYi7XZ13yKSZule4M2mXnXG7gP hBNsLjNBvBJtzkbOo5+x/Mqp16apXaS9JcJ8Mh4yNXiTGTceM8kG6e52B9gm555+5xV9 uIcNVBLmja+Ire71FAI5f4gJJtRvPyLrnj2jx0EclP1rInOwqYRLpL+cGXisTch2vAaU OavaaXLafa/l/JzOlsecBqH4wVvvkQuPawAoF1oPd031hsEiIp6nUe4fgdVwzzefozFb KbgGEssdeIC87ZU2FtUUkjPDsD9QoX75pmm8Pk1kfU2/u/oGFgVFClwOvqZi+xYfU+i1 rE3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BUEIYSm5zLkHzLPGPUsE5IgnAAMnNeJwkEcmZszj8ms=; b=oCkdVenqQ4d4o2yepCkFAdsgC57Y2Et/sSM0X2VbcoBOn7z07EBIgnv585TfqRxmrp og3UaBZliXm7bJTL0a5K3W/00oq+KHoNo7jJCnKW2/4+7DAxVSj0gj7VHLcD9rz1/DoA AglG4KpgrYCV9tKucwwU7E2fGIraf/wnbpgmeBUlyEb7dgzjWXSHzOVA6TF4aRHKh21b e51eoVYQyjHfdBbqYsyQ6hjO3FfCde1xY/nb5k4F+/h5R81MhRM+eAILScXgp0LbCtSC kNFBa56/Hf5eCZH7j7Mc/7frPD7SrDFD0YQXGlYHvptKER59W3Xet2+ZLq8p5IOQI2PI +mYA==
X-Gm-Message-State: APjAAAXaQdC2MTX+69F0/8rkW94yCqylWaaVf22agAcuA8uOQBldaDbi yRa2Pm9tdcmVB04khJbJhWKC8ktCeUlQmvoqFRbZ34RLlZtGg0mOXc7fxuvTYa3dMezJ9CWZzRx IE75fPzM5EES7QQ==
X-Google-Smtp-Source: APXvYqx8/qYk9VsVbrFCUFBB4CllN+T/eJ0bi923mNbpv94q78St41rKDoj7DUSEpTmlQ/PA5tkWdDjRbOCc9VhfaXQ=
X-Received: by 2002:a2e:9592:: with SMTP id w18mr3460990ljh.98.1576706021803; Wed, 18 Dec 2019 13:53:41 -0800 (PST)
MIME-Version: 1.0
References: <157653653318.24509.15075582637514649078@ietfa.amsl.com> <CAO_FVe4jYtrCiGAFSKQo2UF2WDCu8Yf8ww9_biMoW4TJPQ2Qpw@mail.gmail.com> <AE9BAC29-50B0-4DAD-B27D-02EC803537A9@amazon.com> <CAO_FVe7=+G+Zc8VHbr=3Zt9w9v-1G6njRC-qPJFpwKMjBrY1Dg@mail.gmail.com> <CAO_FVe6Y-vaw_jVv9GUj0wkuOFXO9Lvd-Uq2HU87NQQ=SfFCnA@mail.gmail.com> <CA+k3eCQA8AezSrASAUG1r6YCGLYcc_t3m9g5k+0iH78z4=ynuA@mail.gmail.com>
In-Reply-To: <CA+k3eCQA8AezSrASAUG1r6YCGLYcc_t3m9g5k+0iH78z4=ynuA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 18 Dec 2019 14:53:15 -0700
Message-ID: <CA+k3eCQyiLfq1r+L=UWbf3En3qip4N8_x_H3ueemwv_wrQ=maQ@mail.gmail.com>
To: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>
Cc: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000586106059a017a70"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/83mSM8s8HPM0Mg_oqPVw6MctGac>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2019 21:53:46 -0000

But there's more going on with aud that needs to be looked at and/or wasn't
updated.

I think this
    "The aud
      claim MAY include a list of individual resource indicators if they
      are all aliases referring to the same requested resource known by
      the authorization server."
should be removed from 2.2.

Resource Indicators is about how the client conveys the target to the AS
and says " The authorization server may use the exact 'resource' value as
the audience or it may map from that value to a more general URI or
abstract identifier for the given resource". The following from sec 3 is
more restrictive / prescriptive, which seems to reach beyond the scope of
the JWT access token profile.
   "If the request includes a resource parameter (as defined in
   [ResourceIndicators]), the resulting JWT access token aud claim MUST
   have the same value as the resource parameter in the request."

And sec 4 also has talk of aliases.
"   4.  The resource server MUST validate that the aud claim contains the
       resource indicator value corresponding to the identifier the
       resource server expects for itself.  The aud claim MAY contain an
       array with more than one element.  The JWT access token MUST be
       rejected if aud does not list the resource indicator of the
       current resource server as a valid audience, or if it contains
       additional audiences that are not known aliases of the resource
       indicator of the current resource server.
I'd suggest deleting everything after the comma.

If you really want to limit things to a single aud value (and my
understanding is that you do), maybe just place the restriction on the AS
to only issue with a single aud value.

On Wed, Dec 18, 2019 at 2:30 PM Brian Campbell <bcampbell@pingidentity.com>
wrote:

>
>
> On Mon, Dec 16, 2019 at 10:31 PM Vittorio Bertocci <Vittorio=
> 40auth0.com@dmarc.ietf.org> wrote:
>
>> Re: aliases, I see where the confusion is coming from!
>> I updated the request section, but the session 2.2 data structure still
>> mentions the aliases. That should be cleaned up as well.
>> In any case the intent was always to only allow a singe resource per AT,
>> the alias list was only for helping in cases where an AS identifies the
>> same resource thru multiple IDs and the actual aud value depends on what ID
>> the client requested. However we discussed this with Brian and he convinced
>> me that it was just too ambiguous- your remark reinforces that impression.
>> I’ll clean up 2.2 and eliminate references to aliases from there as well.
>> Thanks!
>>
>
> Yes, please clean up sec 2.2.
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email