IETF Logo Mail Archive

Re: [OAUTH-WG] Standardising JWT access token type determination

Akila Amarasinghe <akilaa@wso2.com> Wed, 17 January 2024 09:46 UTC

Return-Path: <akilaa@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4231FC15108F for <oauth@ietfa.amsl.com>; Wed, 17 Jan 2024 01:46:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fX03pW5KdFKo for <oauth@ietfa.amsl.com>; Wed, 17 Jan 2024 01:46:36 -0800 (PST)
Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31408C15106F for <oauth@ietf.org>; Wed, 17 Jan 2024 01:46:36 -0800 (PST)
Received: by mail-il1-x135.google.com with SMTP id e9e14a558f8ab-3608bd50cbeso45372455ab.3 for <oauth@ietf.org>; Wed, 17 Jan 2024 01:46:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; t=1705484795; x=1706089595; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=LDRupfDahznAP6SXxyr9lRYsMaxBaop8qkybtDafV0Y=; b=S0CvoQdxLhLdI42552CORJGBqKy78aJsf9AA6SzIgkTuf7XlVWbtAXYFVAbCcJFn7p AWdt5cJDJqoo2T8WxL5EXEBpi/pCiyNmzWnLCj0wB94T2MGTYMszIrskJMVq2nxNywZT +XeWNdSDUxJiG+R0G1m24luWwR7HPtSjrXJ7A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705484795; x=1706089595; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LDRupfDahznAP6SXxyr9lRYsMaxBaop8qkybtDafV0Y=; b=YNePuDsA9DvTyyxo7P4YpVUwoHN6i2OsbjNekDbg8TQ3l0Allp28PmWj+8ddzSP9xt e5dF/CO6DyUGfhYzmbUZXvDE9fGoUWLG2wC0HEQKdbs6U+SVG+tvZAP+VfCbwdrOloGG nUKg+m6lP4PhxU2Cuk+Gg8Uckid7oTBPYjAxGQNcTXvD7Z1MoBRy4FTSqrCysQz/0DRI lPSUdf0e7PFJ7Bnt66whGiXgABfLY2mJ/7tvG3L+HTITUa/btuAQ48Y++1jNEhTPI9Hr CI91i2nPdt5yYo73StSHsfevlLSoi1NlFJxPk47eskpIO93z8aW1Xj4nQMRPCItym03Q J50g==
X-Gm-Message-State: AOJu0YwyHqYovAFjVXEdaFe1+azoMvwtXjvqfNBPLQKFIqjxr81ePvu4 Zz1PdOoZJtVQZAeWimP9kvrj2H0rCpdKxCPmNqYh1h4cBCXgCA==
X-Google-Smtp-Source: AGHT+IF0UYiuy2hDC/rgRk9ylqsGKTtYL+KrcHQCfKIu6wzwO/fR6JQ5igh7wyTpGfu4xS7IVG3FuFm8FpLG3mRHgaY=
X-Received: by 2002:a05:6e02:48d:b0:361:91e6:632 with SMTP id b13-20020a056e02048d00b0036191e60632mr1720538ils.44.1705484794814; Wed, 17 Jan 2024 01:46:34 -0800 (PST)
MIME-Version: 1.0
References: <CADo1+pUHvk6uK0pveDKbfxFDwDBkvmFbUEb=n_1pAsFfJ37Gmw@mail.gmail.com> <CAFfym_cZFPDX6w0SyNJVUXS53E80mFc9dTz8KaRr=c1JQMq5zg@mail.gmail.com> <CADo1+pVCaCRW+y7tEkxBrbtWYnZEkGyooWDE8xSuxmDf3ursEg@mail.gmail.com> <CAJot-L1Syx+CrjsHHT1LeydjYex+2F8ru=pDWcjda8J8S4FxyA@mail.gmail.com>
In-Reply-To: <CAJot-L1Syx+CrjsHHT1LeydjYex+2F8ru=pDWcjda8J8S4FxyA@mail.gmail.com>
From: Akila Amarasinghe <akilaa@wso2.com>
Date: Wed, 17 Jan 2024 15:15:58 +0530
Message-ID: <CADo1+pUWnzRWbRsw2oBSr_xfd9oruyL6fWn5pWs5+Zs5GitFZw@mail.gmail.com>
To: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>, openid-gain-poc@lists.openid.net, Lalaji Sureshika <lalaji@wso2.com>
Content-Type: multipart/related; boundary="0000000000005d97bd060f211ffa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/97kHRB4Q-ZvrGLDoTJQzb1zs_pI>
Subject: Re: [OAUTH-WG] Standardising JWT access token type determination
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2024 09:46:40 -0000

Hi Warren,

Please correct me if I am wrong. As I understood, the "acr" claim is only
returned with the ID token, which is OIDC-specific.

Also, how about the point #2 I explained above?

Thanks,
*Akila Amarasinghe **| **Software Engineer | WSO2 LLC*
(M)+94719799034 *| *(E)akilaa@wso2.com
(B) medium.com/@akilaamarasinghe

<http://wso2.com/signature>


On Wed, Jan 17, 2024 at 1:28 PM Warren Parad <wparad=
40rhosys.ch@dmarc.ietf.org> wrote:

> > I'm afraid that claim is specific to OIDC
>
> Where exactly do you see that?
>
> On Wed, Jan 17, 2024, 05:12 Akila Amarasinghe <akilaa=
> 40wso2.com@dmarc.ietf.org> wrote:
>
>> Hi Warren and all,
>>
>> I believe this will get you exactly what you are looking for,
>>
>> I did some digging into the "acr" claim you mentioned in your last email.
>> I'm afraid that claim is specific to OIDC. Open Banking and Identity
>> providers may not use OIDC always. For my requirement, there should be a
>> way to distinguish the token type for both OIDC and non-OIDC providers. Is
>> there any other way that supports both of the above scenarios?
>>
>>
>>
>>> without attempting to utilize existing claims in a way that wasn't
>>> intended. While I definitely wouldn't recommend putting the *grant-type* in
>>> the property, but rather the *depth of security that the grant-type
>>> represents*, you are of course free to interpret the spec how you wish.
>>>
>> Regarding #2 (Adding a custom claim to the access token), let me
>> *correct* what I mentioned in the first email. *The custom claim won't
>> contain the grant type itself in plain text*. It will contain some sort
>> of string pre-defined by the authorization server which is determined based
>> on the grant type. For instance, if the token request is with the
>> "authorization code" grant type, the claim will contain something like
>> "APPLICATION_USER". And if the grant type of the token request is "client
>> credentials", the claim will contain the value "APPLICATION".  So we can
>> use this claim to distinguish the token type.
>>
>> Is the above recommended by the authors of IETF?
>>
>> Thanks,
>> *Akila Amarasinghe **| **Software Engineer | WSO2 LLC*
>> (M)+94719799034 *| *(E)akilaa@wso2.com
>> (B) medium.com/@akilaamarasinghe
>>
>> <http://wso2.com/signature>
>>
>>
>> On Fri, Jan 12, 2024 at 3:49 PM Danuta Kusik-Wieland <
>> kusikdanuta@gmail.com> wrote:
>>
>>> Witam.Nie jestem informatykiem.Prubowałam stworzyć witrynę niestety jest
>>> problem z tolkenem.Wiem o tym ale nie wiem jak to zmienić.Jeżeli masz dobry
>>> pomysł proszę napraw to bo ja nie potrafię.Pozdrawiam Danuta Kusik-Wieland
>>>
>>> pt., 12 sty 2024, 09:48 użytkownik Akila Amarasinghe <akilaa=
>>> 40wso2.com@dmarc.ietf.org> napisał:
>>>
>>>> Hi all,
>>>>
>>>> I am researching a standard way to distinguish the token grant type
>>>> (client credentials of authorization code) by inspecting the content of the
>>>> self-contained JWT token.
>>>>
>>>> I expect to build a discussion within the Oauth/OpenID community around
>>>> the need to identify the grant type in which a JWT access token is issued.
>>>>
>>>> In the context of Open Banking, regulators around the world enforce the
>>>> API resource access validation specifying which type of access token should
>>>> be used to access the API resources. This is becoming a general enforcement
>>>> and the Open Banking solution providers are searching for a standard way to
>>>> distinguish the access token type by checking the content of the JWT token.
>>>>
>>>> I researched this and please find my findings below,
>>>>
>>>> 1. *"sub" claim is a potential way to distinguish the token type*
>>>>
>>>> In rfc9068 <https://datatracker.ietf.org/doc/html/rfc9068> specification,
>>>> it is mentioned that the "sub" claim should contain the client ID of the
>>>> authorization server if the resource owner is not involved during
>>>> authorization (see the screenshot below).
>>>>
>>>> [image: Screenshot 2024-01-12 at 12.15.42 PM.png]
>>>>
>>>> We had discussions about using this claim to validate the token type
>>>> (auth code or client credentials), but it seems this is not a standard way
>>>> to do this since there can be client impersonation attacks. However, it is
>>>> very rare for an actual authorization code access token to have the same
>>>> client ID in the "sub" claim as the client exists in the authorization
>>>> server.
>>>>
>>>> 2. *Add a custom claim to the access token*
>>>> Another option is to add a custom claim to determine the token type.
>>>> This will be set after determining the grant type of the token request and
>>>> will be contained in the JWT access token when issued by the authorization
>>>> server. This is a reliable way to identify the token type because the
>>>> authorization server determines the grant type by inspecting the request
>>>> sent into it. Therefore, making it more reliable. This custom claim will
>>>> contain from which grant type the access token is obtained.
>>>>
>>>> 3. *Validating the "azp" claim in the token*
>>>> This is not applicable generally because this claim is optional and is
>>>> only used in OpenID connect. The applications that don't use ID tokens
>>>> cannot use this claim.
>>>>
>>>> We seek the help of the OAuth/OpenID community to build up a discussion
>>>> on this and find a standard way to do the token type determination using
>>>> the JWT token. It could be one of the above scenarios.
>>>>
>>>> The feedback from the Oauth/OpenID community is highly appreciated.
>>>>
>>>> Thanks,
>>>> *Akila Amarasinghe **| **Software Engineer | WSO2 LLC*
>>>> (M)+94719799034 *| *(E)akilaa@wso2.com
>>>> (B) medium.com/@akilaamarasinghe
>>>>
>>>> <http://wso2.com/signature>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>

v2.46.0 | Report a Bug | By Email | System Status