Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
Nikos Fotiou <fotiou@aueb.gr> Tue, 24 March 2020 01:32 UTC
Return-Path: <fotiou@aueb.gr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F27D3A0D3F for <oauth@ietfa.amsl.com>; Mon, 23 Mar 2020 18:32:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aueb.gr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mBia5GTl6ymZ for <oauth@ietfa.amsl.com>; Mon, 23 Mar 2020 18:32:35 -0700 (PDT)
Received: from blade-b3-vm-relay.servers.aueb.gr (blade-b3-vm-relay.servers.aueb.gr [195.251.255.106]) by ietfa.amsl.com (Postfix) with ESMTP id BA6C63A09B5 for <oauth@ietf.org>; Mon, 23 Mar 2020 18:32:33 -0700 (PDT)
Received: from blade-a1-vm-smtp.servers.aueb.gr (blade-a1-vm-smtp.servers.aueb.gr [195.251.255.217]) by blade-b3-vm-relay.servers.aueb.gr (Postfix) with ESMTP id 6910BA77; Tue, 24 Mar 2020 03:32:31 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aueb.gr; s=201901; t=1585013551; bh=xeTQeIXVS6stQ+DRj3VFONV9tOWd5Fv187uhve+3Nwk=; h=From:To:References:In-Reply-To:Subject:Date:From; b=YTEQs2ItihBW3ncnrQPtY5AIvTW1UOP1dV9d4g6QX/FIhVmBq4OeyuQH4uPslFCMm biJybc8gQHA0XcmmdzLPZErBc7I3zgdlPokT7X2vJ6bPofuRe8f5q4iF3Glc64AZ7Q oAwyeN+/DYZBx4vx0xCe0frvuAiMCjwTiwM1A7dXZHFCsqqQIzYZI7sySCb+HrMqJ8 AQ9mqYLRkdwKg9hwTLJHY8lZuUaYsIxR99nvk8FwdAlkZELJgImoaEmBQUUVW682CC vOcXzn9+DhbyDV05miWgiRnecZTdLVIr8u0pjPlGJ6scgLpr934pLg5JBdiVek5Wzy daUkqpTL0kIzw==
Received: from DESKTOP7VDSLBL (athedsl-173572.home.otenet.gr [85.75.221.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: fotiou) by blade-a1-vm-smtp.servers.aueb.gr (Postfix) with ESMTPSA id 10EABAE6; Tue, 24 Mar 2020 03:32:29 +0200 (EET)
From: Nikos Fotiou <fotiou@aueb.gr>
To: 'Hannes Tschofenig' <Hannes.Tschofenig@arm.com>, 'oauth' <oauth@ietf.org>
References: <AM0PR08MB37160B8A021052198699CD17FAF00@AM0PR08MB3716.eurprd08.prod.outlook.com>
In-Reply-To: <AM0PR08MB37160B8A021052198699CD17FAF00@AM0PR08MB3716.eurprd08.prod.outlook.com>
Date: Tue, 24 Mar 2020 03:32:29 +0200
Message-ID: <01ec01d6017c$162eb2e0$428c18a0$@aueb.gr>
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHpUDYTHxkJVh4ssWS8Yidi1aurtqgwQpqQ
MIME-Version: 1.0
Content-Language: el
content-class: fotiou@aueb.gr
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_01E5_01D6018C.D887DC80"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9ux9k5rWuzSH__JoQ3QOC0832Tk>
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2020 01:32:38 -0000
Hi all, Allow me some comments and forgive me if some of them are naïve. - In Section 2.2 why nbf claim (https://tools.ietf.org/html/rfc7519#section-4.1.5) is not considered? I can imagine some interesting applications of this claim. - In the same section, it is not clear why some claims are required, especially exp, sub, and client_id. The last two claims are not even used during token validation. - RFC7519 specifies that, in the general case, the aud claim is an array of StringOrURI values. In this draft it is not clear if this still the case, or here aud is a simple string (e.g., in page 5 it is stated: the resource indicated in the aud claim, rather than the resource*s*). - In the token validation procedure, i.e., Section 4, is there any reason why the resource server first checks the aud claim, then the signature, and finally the exp claim? Given the fact that Error responses are not specified, returning something like invalid aud claim even for tokens with invalid signature may result in privacy/security attacks. - IMHO The token validation procedure it too bound to the particular discovery mechanisms mentioned at the beginning of this section. E.g., Step 2 mentions a registration process, and Step 3 mentions and an Issuer Identifier which must much the iss claim. Moreover, I think it should be explicitly mentioned that the resource server must validate that the JWT access token has been singed with a signing key that corresponds to the authorization server included in the iss claim Best, Nikos From: OAuth <oauth-bounces@ietf.org> On Behalf Of Hannes Tschofenig Sent: Monday, March 23, 2020 11:18 PM To: oauth <oauth@ietf.org> Subject: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens" Hi all, this is a working group last call for "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens". Here is the document: https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04 Please send you comments to the OAuth mailing list by April 6, 2020. Ciao Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile … Hannes Tschofenig
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Nikos Fotiou
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Takahiko Kawasaki
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Filip Skokan
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Nikos Fotiou
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… vittorio.bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… vittorio.bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… vittorio.bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… vittorio.bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Richard Backman, Annabelle
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Vittorio Bertocci
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Vittorio Bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "J… Benjamin Kaduk
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… George Fletcher
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Denis
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Vittorio Bertocci
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Denis
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Benjamin Kaduk
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Denis
- Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Prof… Richard Backman, Annabelle