IETF Logo Mail Archive

Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

"Manger, James" <James.H.Manger@team.telstra.com> Tue, 12 May 2020 10:45 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B6143A09BC for <oauth@ietfa.amsl.com>; Tue, 12 May 2020 03:45:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=team.telstra.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ui5abj3UC1Vv for <oauth@ietfa.amsl.com>; Tue, 12 May 2020 03:45:08 -0700 (PDT)
Received: from ipxbvo.tcif.telstra.com.au (ipxbvo.tcif.telstra.com.au [203.35.135.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DAEE3A09AF for <oauth@ietf.org>; Tue, 12 May 2020 03:45:05 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.73,383,1583154000"; d="scan'208,217";a="372748290"
X-Amp-Result: SKIPPED(no attachment in message)
Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([10.97.217.204]) by ipobvi.tcif.telstra.com.au with ESMTP; 12 May 2020 20:45:03 +1000
Received: from wsapp5863.srv.dir.telstra.com ([10.75.131.32]) by ipcbvi.tcif.telstra.com.au with ESMTP; 12 May 2020 20:45:02 +1000
Received: from wsapp5585.srv.dir.telstra.com (10.75.3.67) by wsapp5863.srv.dir.telstra.com (10.75.131.32) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 12 May 2020 20:44:41 +1000
Received: from AUS01-ME1-obe.outbound.protection.outlook.com (10.172.101.126) by wsapp5585.srv.dir.telstra.com (10.75.3.67) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 12 May 2020 20:45:02 +1000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OKEi+UYm4ZuRYcsQUOJSRmWy1v1NJkCNuUdQKEqaHQx5jyHG/Usc9/O5MLa7l4qnz6xwfoND1h95xGsqQmri/273nIn5Gx8DXXQZ+XhYullW1xyHI3t729S04qtrzrBLzmbXkQpwHFG0FZvhpQ3oSjfZ535D+CUubdaDgPtXJEhVhF2PQOhWoB/W467ClJBA6l8pvlX5X+IIjX1UEfdm4UUs//wEfXoLTXztBhMGgUHs4UXMx6juTmykEBVU+BhVvGXuMmosAqYf+RJopjExFucbSENRNjkGnkU8+nXbKnUeixluB0hjIcAuZTK8d+xpAi4o/7qTQ46cHgABTBd+mQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L9UPEMgmfruAPtGPHHXraSTvz1cG4JQusQlbUYz7naA=; b=S5qE6MSuxA7HvxXpW57za4qetu2Q26wqd+s+xLvxWjCugFLJzpQ35kV0KC/HlWimKm9TUAefjn+WpDqiTyayrvdKaSfJUptGvFU9Q2EXWx0weN/fWA76KV6g9wrH17kWN4wl7An5aYkxsHFo38H1xNdekT7EJlCw3VG28sULKclv/YD1teMRNeHqpbaf7+SgEi8CsC3v28+8mLQG83NEO/yOKrQ0EZm7p+zbMzdF822Ji7OKbopy4j1biQSb2e3hj0ke230tc3+Vngh7Xu58rBYaZsn8Eniobkno8sfcKeNqC/oNL5emMAZc6LyFPMZKOh4uJhnhzfiH/7D//xVVqg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.telstra.com; dmarc=pass action=none header.from=team.telstra.com; dkim=pass header.d=team.telstra.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.telstra.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L9UPEMgmfruAPtGPHHXraSTvz1cG4JQusQlbUYz7naA=; b=vX7HqMZM5uMS4C6A3kM6B9Kf4F7KHaQbRz97B6rHB+D1075T1WCAA2JnnCCBFM5jNQZrnQiOOljrLLDsPn7qfO5KUPMs914JteAD3XkMKyR9DvEfnmZ5HD1nwJ/hpJMNMfgMVIq4L2IilU8K7A1zmyALSabY+hlbwI9eGD9PB3Y=
Received: from MEXPR01MB1702.ausprd01.prod.outlook.com (2603:10c6:200:16::7) by MEXPR01MB2086.ausprd01.prod.outlook.com (2603:10c6:200:14::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.33; Tue, 12 May 2020 10:45:02 +0000
Received: from MEXPR01MB1702.ausprd01.prod.outlook.com ([fe80::4d7:1b54:6ee:bb6a]) by MEXPR01MB1702.ausprd01.prod.outlook.com ([fe80::4d7:1b54:6ee:bb6a%3]) with mapi id 15.20.3000.016; Tue, 12 May 2020 10:45:01 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Denis <denis.ietf@free.fr>, Vittorio Bertocci <vittorio.bertocci@auth0.com>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
Thread-Index: AQHWE1gGZMyrQ8qcS0qZND1RXU6Qz6iQWrGAgAAd5wCAAQopAIAGCOCAgABNT4CABzkQAIAD6DkAgAAPooCAALboAIAAL3MAgAAoywCAAEcSAIAABu/Q
Date: Tue, 12 May 2020 10:45:01 +0000
Message-ID: <MEXPR01MB1702E09FD7E18BF36B05A05DE5BE0@MEXPR01MB1702.ausprd01.prod.outlook.com>
References: <CAGL6epKuHTqLrZEjm0goKV+3jaPfTkN_JSLc0jfQyPqNzeP3aA@mail.gmail.com> <125f32d3-dd3b-3add-1172-391acd831cde@free.fr> <MWHPR19MB150159025ECBAD75B6DDE1DFAEAD0@MWHPR19MB1501.namprd19.prod.outlook.com> <79748d92-c084-c6f9-20b1-163cb5760d11@free.fr> <20200504055923.GH27494@kduck.mit.edu> <7ebcabb3-3160-37dd-2dac-407744084c33@free.fr> <20200509005408.GA27494@kduck.mit.edu> <22f844b4-966d-936d-df7c-ef7b8788b0aa@free.fr> <CAMVRk+Ln4xo_3pC6ALf0rp3+7gHyvO1zV=+NsA2pW4AZJ=1JAw@mail.gmail.com> <MWHPR19MB1501B1F305C170BCA0FD01F6AEBE0@MWHPR19MB1501.namprd19.prod.outlook.com> <CA4B872F-C0A1-4011-9221-B27CB45C41AB@gmail.com> <MWHPR19MB15018666981170A2DAA7B0D7AEBE0@MWHPR19MB1501.namprd19.prod.outlook.com> <0c7942f8-f94b-f0a9-cec1-cfa9803d4db6@free.fr>
In-Reply-To: <0c7942f8-f94b-f0a9-cec1-cfa9803d4db6@free.fr>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.100.23
dlp-reaction: no-action
authentication-results: free.fr; dkim=none (message not signed) header.d=none;free.fr; dmarc=none action=none header.from=team.telstra.com;
x-originating-ip: [144.132.40.82]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 76ab0e64-a647-401d-daca-08d7f6618628
x-ms-traffictypediagnostic: MEXPR01MB2086:
x-microsoft-antispam-prvs: <MEXPR01MB2086F4985F675C1B52B1A303E5BE0@MEXPR01MB2086.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0401647B7F
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hJhFuwQukGfZ4m1CIHS5xcApw/5SnwY+Alv44giHPFm6JmdKuVM4J00yLHJ7yTx7Uhfs2/E4MUIgrXzSpCJa27FLze0SnADeo88iAV1MGShbpSlNhFeh7ibmb4VjwM/6F28G/c30mU13fUO7DkQkIy0oU68YcJzHvRi8F4kmuWkrUL493PyvbAbUqhL80HVgLc6RNBHCMGM6Ugd10nwAd3b7Ru/Za9CpTS8p1NOJ1Rfxs+2qEJHzj9tJorJ+UIXZtfltipn7fmvl5APIIlNnT6OC4oKpX57nYBV0qu1+n7mD5um1vP68QGGDL3HTf/SgmuvhK1pDw6f7EjC+afQDxdtcAptxe0BahRdKSQhR3iHdwacn5J6RaNH1jRzdFFnzBCPM3/b5ZDf2FzjOFSMnFUtzgRVNMwMT2rzGJvhE27d9t6BPihu/t7/Mef4krpXuUadxQ2WZLNMgIWIE2JtLdSdbH1WwvXoP1zWvbVmKvEBSVZCmaR+VQB3jVnT+lZngnP3kf5JRaf/3vrCdx3XDTg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MEXPR01MB1702.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(39860400002)(376002)(396003)(366004)(136003)(33430700001)(7696005)(110136005)(478600001)(2906002)(52536014)(66556008)(76116006)(66476007)(33440700001)(66446008)(66946007)(33656002)(64756008)(53546011)(26005)(55016002)(8936002)(8676002)(186003)(86362001)(4326008)(71200400001)(6506007)(9686003)(316002)(5660300002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: lkKsgOEAwN4r22iAqN6xm+7XxAl8XWuKpjDE1KbunZidPuNV2Sy4qE4+R/R5YkAM9sAhy0CFcL5ZADSswp8LxJC0JHTB7K7v6waQ5KcBzaGMWphQs7Kj4uTj7NvtpmEBpfk8401PhRCLemkYTpbeAZgJRWXEXCLwuNSqHXdisvNMmwPncB4Zo7yj9V55TCWAvC6O6BQTcBJo1c94ugCVDu4BdCiVMAs1AtVmmfeaZjTyeAuFdCblEqdAhXu5oL/8YPVme1TXMEe9TwClCrCfwftDlJWjc+R4oGqcXGOc/eCzvEWkeFSrnY2dORcpzvomr/7joE30TOqy1GC53RttXdrmZheLr8XenmByPfX8USO/PdBb7mifDe3fokG3f7rJlz2ijDeadamqcuBt9ekUhYttAMYphXzy5X818F7d2ZnZ8jCm+Iep44mzBA2y/TfoVMXQDlm4s/DuPIBcFxCVbZJ4EM/ZZvvJdzbAuQ5rlps=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MEXPR01MB1702E09FD7E18BF36B05A05DE5BE0MEXPR01MB1702ausp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 76ab0e64-a647-401d-daca-08d7f6618628
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 May 2020 10:45:01.7970 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lqVenK9dzEXIe4r9DnmpB6HFjjfkiJGxQf4IYqCytW/fdYPyO8tCDCPPjRUoupMpvLtKlnMb4/SyZppjWR2VMb5oGsenYw6O/qYm6M7BWGw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEXPR01MB2086
X-OriginatorOrg: team.telstra.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/A0vE-D5c_4JKSgW_qsLjzJhEN_0>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2020 10:45:10 -0000

That text is an poor suggestion, Denis.

> end-user will usually have no knowledge of the attributes which correspond to the scope

The OAuth model is that the Authorization Server is responsible for informing the end-user about what is going on. That's why they display consent pages showing what will be disclosed, often giving the end-user control over this.

> the end-user would like to know which attributes have been placed in a token ...
> ... if the format of the access token is not understandable by the client, then the client SHOULD NOT forward

A major point of OAuth is to protect end-users from clients. The end-user has to trust the Authorization Server (they sign-in there), but that can lessen the trust required in clients.

A client that inspects an access-token in the hope of preventing an Authorization Server from disclosing too much to a Resource Server is kidding itself (and kidding the end-user). The access-token might be a JWT with minimal claims, then the RS calls the AS's token-inspection API and gets back squillions of claims.

So, by all means, do some auditing of Authorization Servers, Resource Servers, and the tokens they exchange to improve your confidence that they are behaving as they say. But if you write a client to do that inspection as standard behaviour then don't call it OAuth-compliant. It will break when the Authorization Server choses to change its token format. Because your client has violated a MUST in the best practices it will be clear where the responsibility for broken interop lies. And the rest of the ecosystem can hope that such clients are not prevalent enough to harm ongoing evolution of the rest of the system.

--
James Manger

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Denis
Sent: Tuesday, 12 May 2020 7:55 PM
To: Vittorio Bertocci <vittorio.bertocci@auth0.com>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
...
This being stated, hereafter is a full text proposal replacement for the first paragraph (12 lines)
of the Privacy Considerations section (section 6):

    As indicated in RFC 6750, the "scope" value is intended for programmatic use and is not meant to be displayed to end-users.
   This means that, even when the client uses the scope parameter, the end-user will usually have no knowledge of the attributes
   which correspond to the scope (or to a missing scope parameter).

   RFC 6749 mentions that the string [access token] is usually opaque to the client. Hence, the client will not necessarily be able
   to inspect the content of the access token. As an example, an authorization server and a resource server might decide to change
   the access token format at any time.

   There are however cases, where the access token content presents privacy issues for a given scenario. In such cases,
   the end-user would like to know which attributes have been placed in a token before forwarding it to a resource server.
   If these attributes do not correspond to the expectations of the end-user or if the format of the access token is not understandable
   by the client, then the client SHOULD NOT forward the access token to the resource server.
Denis

v2.23.0 | Report a Bug | By Email