Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 question

Vittorio Bertocci <vittorio.bertocci@auth0.com> Wed, 23 September 2020 07:27 UTC

Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C1313A0E71 for <oauth@ietfa.amsl.com>; Wed, 23 Sep 2020 00:27:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.855
X-Spam-Level:
X-Spam-Status: No, score=-0.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ntlDrymcEptD for <oauth@ietfa.amsl.com>; Wed, 23 Sep 2020 00:27:48 -0700 (PDT)
Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65DE63A0E69 for <oauth@ietf.org>; Wed, 23 Sep 2020 00:27:48 -0700 (PDT)
Received: by mail-pj1-x1031.google.com with SMTP id s14so2327999pju.1 for <oauth@ietf.org>; Wed, 23 Sep 2020 00:27:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :mime-version; bh=QM/fESc2p114SXB2dGyCTJfomL5UZ/2OoTnuOIc0w2w=; b=hsACVrrlPDSAzP+veqzAmTP0VoMLvgchIHx+aEtwOTk7fvkJbzM70mJ+lYiQw9Pi4c /1AtxU2PaDVu8DdXnh0441qIePhOWdcuUkiPdSI1h3UP08y4w8l2RbVh6lCLJnRj3IyD lmU1WF+qm4eYzkb55GVyLOdq2Hg/k9+WmdXuZ2u+JuGK4zZj6RdbGNyPMs755WZ+GTQl O9oWLIar+rfdMJr4Qe3AP+ODehkDjIDKcQIA1ukpZcqjPog/tA/38140GZolZD/uSVll CVNBGrn/GH1K5SBpLg38wq/P/j3dJGV6CU8FPxlKuYjdr+QYXdYeMYq4CR/y3nBpXK3O x6sg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:mime-version; bh=QM/fESc2p114SXB2dGyCTJfomL5UZ/2OoTnuOIc0w2w=; b=HwHHZHzMJ6U3taRCzB4v1sR4qW/ch15AgknPPn5olYZqNh7FYjsk49kDsYysffBE4l jiG7sfNFYvoY2dDRRn55pLlV8BaJihqOXLd/U5W+EnI1aysa9OYV+dGnmUMh4FtkwhN6 n9bEmrmZtgcQS85TBEkt1ENVro5rz0hnrRPb1xxnbHTI8SJXU8X34LpI9WF4SQOKI2UV BvwjmqF/tnd4hFAElX0ZKpWtEx9cJfhbkTwqLpEmcCEdEIE47WDAsp8sUWv+TUoKzPvO KXjgGhH5MnFsSm000TG5ub9Hoofq4oa3o7Ne0hVOjzVwjWCGSXwo/XpeU8Dr5HREPxPa xBZQ==
X-Gm-Message-State: AOAM5300RpclVtCOY3sNn2VYOfdLzNZjq3xupHzFp83/J1kJv64d2+X6 IImgq4gr6nWpxJPDI6jkxinZdFhiGoYVCw==
X-Google-Smtp-Source: ABdhPJzm6CwyMLj/qBMaojAtwzW88KO8LQBZFFfu90sqqkoBZr3rvL4y47oIuuvSJUIJ6PJEuU8n3Q==
X-Received: by 2002:a17:90a:4802:: with SMTP id a2mr6868514pjh.5.1600846067670; Wed, 23 Sep 2020 00:27:47 -0700 (PDT)
Received: from MWHPR19MB1501.namprd19.prod.outlook.com ([2603:1036:120:1d::5]) by smtp.gmail.com with ESMTPSA id y4sm17702015pfr.46.2020.09.23.00.27.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Sep 2020 00:27:47 -0700 (PDT)
From: Vittorio Bertocci <vittorio.bertocci@auth0.com>
To: Logan Widick <logan.widick@gmail.com>, Brian Campbell <bcampbell@pingidentity.com>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 question
Thread-Index: AWdVOGRZfCffrbDQDUZf8aHBptBej95xxmVlgARk2QCAAG7AgIAB60i2
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Wed, 23 Sep 2020 07:27:44 +0000
Message-ID: <MWHPR19MB1501B27E048AE9ED1642876FAE380@MWHPR19MB1501.namprd19.prod.outlook.com>
References: <CAMmAzEJX=Y=seeDe5T_d8-rr+qAx98fa-9+Qyh3UmnEEZTSoBg@mail.gmail.com> <MWHPR19MB150101C01962881B13665C21AE3C0@MWHPR19MB1501.namprd19.prod.outlook.com> <CA+k3eCS56bUPs-pdTFYbtMuNKrQeG+orND7wu8r6r_ZEBbQs_A@mail.gmail.com> <CAMmAzEKs-wZThnZsYyG5o3f0d_Fr-5UYvBjwS16o3rajq+NTmg@mail.gmail.com>
In-Reply-To: <CAMmAzEKs-wZThnZsYyG5o3f0d_Fr-5UYvBjwS16o3rajq+NTmg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_MWHPR19MB1501B27E048AE9ED1642876FAE380MWHPR19MB1501namp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cuIHg5LimcSu8DeVWaqcP0W-p64>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 question
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 07:27:57 -0000

Thanks Brian, Logan.
On clarity. I tweaked that section and produced a new draft (-10).
Details:

  *   Formally, the fact that we are referring to the User entity should be unambiguous. 4.1.2 is a subsection of 4.1, which is titled "User Resource Schema”.
However as a frequent critic of the excessive cyclomatic complexity of the specs, I am making myself guilty of precisely the same sin 😊 your suggestion can save the reader the need to follow and parse the reference to understand the situation, hence it’s a good improvement to clarity.
  *   For what concerns the actual format of the claims. The groups entity actually appears as non-normative example in https://tools.ietf.org/html/rfc7643#section-8.2; I can make an explicit reference to that and make things a bit more discoverable.
  *   For roles and entitlements, things are murkier.
Before embarking in this endeavor I too had the expectation that this would be a flat list of strings, but digging a bit in existing implementations it turns out that’s not necessarily the case. For example, Slack SCIM represents individual roles as two possible forms { “value”:<name>, “primary”; <bool>}|  { “value”:<name>}, whereas databricks uses { “value”:<name>}; WSO2 uses { “value”:<name>, “type”; <enum>}.
So for those two I don’t think we can do better than the current statement about SCIM not supplying a vocabulary for them.
  *   I had some issues w the references where the section links were turned into local links, as it happened in the past. That should be fixed too.
  *   I applied the “” notation to the attributes, given that we are turning them into claims it seems clearer to sue the same typographic concention.



  *   side note… <nonexistent section reference>
Excellent point, fixed.


From: Logan Widick <logan.widick@gmail.com>
Date: Monday, September 21, 2020 at 19:09
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Vittorio Bertocci <vittorio.bertocci@auth0.com>om>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 question

If I understand "The intent would be to present that information in the same way you would when querying a users/<id>, encoded in claims" correctly, the "roles", "groups", and "entitlements" claims are the same types as the "roles", "groups", and "entitlements" attributes of the User resource schema (pages 24-25 of RFC 7643 for the text; pages 63-67 of RFC 7643 for the schema)? In the schema the attributes are all "complex" (object) type and "multivalued" (array of), although the text for some of these attributes has some "No vocabulary or syntax..." remarks.

If that understanding is correct, it might be a good idea to replace the references to "RFC 7643", "Section 4.1.2 of RFC 7643", and "RFC 7643, Section 4.1.2" with something more specific like "the ____ attribute(s) of the User resource schema from Section 4.1.2 of RFC 7643".

On Mon, Sep 21, 2020, 15:33 Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:
At some point I'm going to be among the lucky few who will be asked to review the JWT claims registration request. One of the criteria to consider is "whether the registration description is clear" and Logan's questions suggest that perhaps the descriptions of these claims are not sufficiently clear. My assumption was that the claim value for "roles", "groups" and "entitlements" was going to be an array of strings. Trying to validate my assumption, I went looking at the text in https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-09#section-2.2.3.1 and https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-09#section-7.2 and followed the reference to https://tools.ietf.org/html/rfc7643#section-4.1.2 and, honestly, it wasn't particularly clear to me. Maybe it's my lack of familiarity with the details of SCIM and the language of RFC 7643. But I think that, for the sake of clarity and interoperability, some additional specificity is needed.

Side note: the "Section 2.2.2.1 of [[this specification]]" references in https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-09#section-7.2.1 are problmatic (there is no such section in this document) and probably should be to 2.2.3.1.

On Fri, Sep 18, 2020 at 6:28 PM Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org<mailto:40auth0.com@dmarc.ietf.org>> wrote:
Hi Logan,
Thanks for the note.
The intent would be to present that information in the same way you would when querying a users/<id>, encoded in claims; hence groups would be a list of values representing  what groups the subject belongs to, rather than a list of full group definitions (with all the other members belonging to them, for example) which would go beyond the intended use of the information (supplying authorization information about the subject).
I tried to keep the language high level as I didn’t want to duplicate SCIM guidance, or inadvertently narrow down the options products have to implement this.  If you think this is too vague, we can try to be more specific.

From: OAuth <oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>> on behalf of Logan Widick <logan.widick@gmail.com<mailto:logan.widick@gmail.com>>
Date: Wednesday, September 16, 2020 at 14:21
To: "oauth@ietf.org<mailto:oauth@ietf.org>" <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-08 question


I took a look at Section 2.2.3.1<http://2.2.3.1>: Claims for Authorization Outside of Delegation Scenarios (https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-08#section-2.2.3.1) and I do not understand what exactly the formats of the "roles", "groups", and "entitlements" claims will be.

Will the "roles" claim be an array of strings (role names, IDs, or links), an array of the "roles" objects from the SCIM User schema (pages 66-67 of RFC 7643), or something else?

Will the "groups" claim be an array of strings (group names, IDs, or links), an array of the "groups" objects from the SCIM User schema (pages 63-64 of RFC 7643), an array of SCIM Group schema objects (pages 69-70 of RFC 7643), or something else?

Will the "entitlements" claim be an array of strings (entitlement names, IDs, or links), an array of the "entitlements" objects from the SCIM User schema (pages 65-66 of RFC 7643), or something else?

Sincerely,

Logan Widick
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.