Re: [OAUTH-WG] JWS JWT Access Tokens and resource audiences
Sergey Beryozkin <sberyozkin@gmail.com> Tue, 16 August 2016 12:17 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14AE512D79F for <oauth@ietfa.amsl.com>; Tue, 16 Aug 2016 05:17:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TUTNnFXo_gUo for <oauth@ietfa.amsl.com>; Tue, 16 Aug 2016 05:17:32 -0700 (PDT)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 351D512D809 for <oauth@ietf.org>; Tue, 16 Aug 2016 05:09:55 -0700 (PDT)
Received: by mail-wm0-x22c.google.com with SMTP id o80so163104495wme.1 for <oauth@ietf.org>; Tue, 16 Aug 2016 05:09:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=fp8x1AUSii1BJoZ1Gl9ZSxo012F4nrseCxkMcfMtOn4=; b=c9FYqszJSG+V+a+jfU3+AkAq4ymYaohVXh5bv4JmZisbFO4JTTxAcAblDZ6aXz64W5 3/ZoW04b5pD+XfG8ClbC0n/dXcRxaKTJ47JXB/irDo02oolDQuqXR/IUHQIlDcC3+Ytk Aq/a3VD9AkT3kGJs11TFX5t4r8SLOhVnnBO9dyTVoU1lOBIDV/Tsj9WzOFQ/Qfk6oqGB QjBu3rBj/Gn5znVQ+tHaLRlyem4tWkISfrsIG7c58NNLE7V9+BmBHVIRlcLSQLetgqDU 516H6DbX39EHqqb1zprBscQRWgYywK+UyVeBuC1rLtVstoOZsaOa1LW42OgVOTwGbrT6 1RCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=fp8x1AUSii1BJoZ1Gl9ZSxo012F4nrseCxkMcfMtOn4=; b=kbMuJ24Ie9NZrqEasb0kptUTjVAXAJwj1xCHT2dM5DHC5dp4Tcof1XnNw1JMlrho11 fooUMn9AhTNfxLfCp7B+5WP2Z0XPtcFNd4d7EjRItNBpXkckRSXd6SP7iQa/G5QyfnAG ZlIVGmF0eCdfWl3pJBGAxeY9PExgtnYvW1JIc7gy7bi6csyDX0kjkaWbpu3wDfFZSiS+ SSJrFsGLNHZAFYd5CguO8eYAscLQCpAPRhQbrORP6mt8+/N2I4FUlbh1RdRbNv913Y0i DezN3apBmlc7noogY6XF9G2KSaWthu10hjXCSWXdfhJWWypBLbdcPEjNhJwUSrTtjuC7 497Q==
X-Gm-Message-State: AEkoouvG3bac2R7JxjbP6nhZdoZ+4ZWomJYI6HxyKtrPOI/g4ZCgI0OvWM+DsmOQ8OhheA==
X-Received: by 10.194.116.1 with SMTP id js1mr3218844wjb.183.1471349393573; Tue, 16 Aug 2016 05:09:53 -0700 (PDT)
Received: from [10.36.226.98] ([80.169.137.53]) by smtp.googlemail.com with ESMTPSA id s184sm21468157wmb.11.2016.08.16.05.09.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Aug 2016 05:09:52 -0700 (PDT)
To: Brian Campbell <bcampbell@pingidentity.com>
References: <8472e581-1382-a364-a232-07ce6eeb0115@gmail.com> <852DC4F5-B9A0-4402-8550-6AB725546C63@ve7jtb.com> <9912591c-ce6c-b13c-e9f2-f0fb66b557d8@gmail.com> <6b6457e2-9cf1-9fdc-25f8-a0ee6be6976e@gmail.com> <CA+k3eCQHiVv9vq6CWPK03UwfAyKWF251DNLdxQ4TiJrjmHVSTg@mail.gmail.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <154f9cd4-23e1-d0ac-e90a-badbe9e9d483@gmail.com>
Date: Tue, 16 Aug 2016 13:09:51 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCQHiVv9vq6CWPK03UwfAyKWF251DNLdxQ4TiJrjmHVSTg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8NAklf30EpQbYVCdec0jKEmi7Wg>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWS JWT Access Tokens and resource audiences
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 12:17:34 -0000
Hi Brian Thanks, 'cid' is a proper compact name :-), I've made our code configurable - to support reporting a client_id property either as a 'client_id' or 'cid' claim. Cheers, Sergey On 12/08/16 23:30, Brian Campbell wrote: > Yeah, the client typically isn't the/an audience of an access token. The > AT is opaque to the client and the client never processes or validates > it. So aud would have the resource(s) and something else could carry the > client id. > > FWIW, token exchange is looking to define and register "cid" as a JWT > claim for the client identifier: > https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-05#section-4.3 > > On Fri, Aug 12, 2016 at 4:13 AM, Sergey Beryozkin <sberyozkin@gmail.com > <mailto:sberyozkin@gmail.com>> wrote: > > Hi, > > > After updating my earlier code (where 'client_id' was set as the > standard JWT access token 'aud' property) to use 'aud' to represent > the resource audiences I'm now thinking how to represent a > 'client_id' in this token. > > For now if I'm using a 'client_id' claim, to be consistent with a > standard token introspection response. > > The other thing is how to represent a name of the user who > authorized the code grant which was exchanged for this token. > > Again I'm using a "username" claim, to be consistent with a standard > token introspection response. > > Also thinking, what value if any a 'sub' claim in such a token > should have. I'm setting it to a unique user identifier (similarly > to IdToken). > > Any comments are welcome > > Sergey > > > On 11/08/16 23:30, Sergey Beryozkin wrote: > > Hi John > On 11/08/16 23:24, John Bradley wrote: > > I think most people put the a resource URI in the aud. > > Connect uses the client ID as that is bit more stable than > trying to > use a redirect URI when there could be multiple ones. > Given that a resource server doesn’t typically have a > client_id the > resource uri make a reasonable value. > > You could put it in resource if you like, but that is > probably not > what others are doing. > > I was suspecting I might be on my own here yes :-) > > > It may be time for a interoperable JWT access token profile > of some sort. > > > +1 > > We keep getting close with some of the PoP stuff but only > specify parts. > > > Thanks, Sergey > > > John B. > > On Aug 11, 2016, at 6:16 PM, Sergey Beryozkin > <sberyozkin@gmail.com <mailto:sberyozkin@gmail.com>> > wrote: > > Hi All > > Awhile back I was asking why would self-contained JWS > JWT access > tokens would be used (as opposed to JWE JWTs), my > concern was that > anyone with a JWT library can read this token's content > - but as I > was explained that should not be a problem if such a JWS > JWT token > contains non-sensitive information. Besides, in some > cases, it gives > RS an option to validate this JWS JWT locally, without > having to make > a remote validation call. > > So I've started experimenting and the immediate question > I have is > this one: which claim should one use to represent a > resource server > audience to get the most inter-operable RS level > validation logic ? > > For example, a given RS may talk to different 3rd party > authorization > servers, say AS1 (vendor1) and AS2 (vendor2), and either > AS1 or AS2 > JWS JWT tokens that this RS validates locally should > ideally use the > same claim to represent a resource audience. RS > validation logic is > written independently (without using AS1 or AS2 aware > validation > libraries). > > We do expect such requirements coming in our > deployments. AS1 & > independent validation logic is already in use. Just a > matter of time > before AS2 is introduced. > > So JWT has a standard 'aud' claim - but I believe this > should be a > 'clientId' of the client a token is issued to, similarly > to the way > the 'aud' is treated in IdToken. > > So I've prototyped the code where JWT has these claims: > > "aud" = clientId > "resource" = 'http://myResourceServer' > > where 'resource' is borrowed from OAuth2 Resource > Indicators draft > and represent a specific RS target address, the resource > server > audience. > > Am I on the right path ? How would others do it when > facing a task of > including a resource audience in a self-contained JWS > JWT access token ? > > Many thanks, Sergey > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > >
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Sergey Beryozkin
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Brian Campbell
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Sergey Beryozkin
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Sergey Beryozkin
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… John Bradley
- [OAUTH-WG] JWS JWT Access Tokens and resource aud… Sergey Beryozkin