IETF Logo Mail Archive

Re: [OAUTH-WG] Standardising JWT access token type determination

Akila Amarasinghe <akilaa@wso2.com> Wed, 17 January 2024 11:13 UTC

Return-Path: <akilaa@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B48EC14F61E for <oauth@ietfa.amsl.com>; Wed, 17 Jan 2024 03:13:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87FFtCSXAqiE for <oauth@ietfa.amsl.com>; Wed, 17 Jan 2024 03:13:54 -0800 (PST)
Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16068C14F682 for <oauth@ietf.org>; Wed, 17 Jan 2024 03:13:49 -0800 (PST)
Received: by mail-il1-x12a.google.com with SMTP id e9e14a558f8ab-3608bd50cbeso45649095ab.3 for <oauth@ietf.org>; Wed, 17 Jan 2024 03:13:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; t=1705490028; x=1706094828; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=DKs4RdA89WsL7XlekfU/7+ElRq+7uyVzATRM7zaSQzY=; b=il038kfP4iDVtnyCeSPetiQS2P241U6qL+fs2CQ6OgNYK2SS1g3ag0+V77DIwoJekv sNiofv7lUb6KswN5AvtY99KWC01F94Kuv7T+C6UcRo57uu+DCK5Ku3+qJCdAsbga6N+r /6/tYM0J1g4xBx3l3DSe/xIYhL1aOP4Tt4hbw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705490028; x=1706094828; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DKs4RdA89WsL7XlekfU/7+ElRq+7uyVzATRM7zaSQzY=; b=sfXgFjXyXfaH/CerB+ITCNeSR689dohTWQ5+DBXjlSEmtliXucxVkSwLhRMHr537MP rnNBs1u42VHwQd6NJ9V99RsOIKbS5RjWjK3DrsEMNy3lm+YIQABon6kqWR9cpNQmfqFw oMdMpD4UwgUX5wqQ+9OQoiZn171lcNPXPTNjKe9E2aK7P+1M8h75mWisflH7S11m3Pem vP1mea7PI/k+KdA1YiTYytfShvfbWZhwgntbos+VKFmuOzxxGp6X1wzueE/hsdLLefbC kcVIrnKEI1sWdpCd8tB+OeNsoMLy269kYBBgxGYWXyi41Xxz4bwA9llcYU37Eyct6/1e 1OdA==
X-Gm-Message-State: AOJu0YwMUtDRb+5/FDvBMzDdyY6nNwYae3JupEjPiVICYHmY7fPIq0Vb 2+q5YJIroYOrj4vRWpSf1DqRybmqAHicF+FyJZcR2bM7oEXr/Q==
X-Google-Smtp-Source: AGHT+IEfWZQERgrs95+OyKwfH6+wh3qTz4yG0ikaflsv9VAGlQqFn7s29uycplfItQIQxFMcUzaW+Rw0c49zb2yq3nE=
X-Received: by 2002:a92:b0e:0:b0:361:8f10:1a01 with SMTP id b14-20020a920b0e000000b003618f101a01mr2114262ilf.18.1705490027856; Wed, 17 Jan 2024 03:13:47 -0800 (PST)
MIME-Version: 1.0
References: <CADo1+pUHvk6uK0pveDKbfxFDwDBkvmFbUEb=n_1pAsFfJ37Gmw@mail.gmail.com> <CAFfym_cZFPDX6w0SyNJVUXS53E80mFc9dTz8KaRr=c1JQMq5zg@mail.gmail.com> <CADo1+pVCaCRW+y7tEkxBrbtWYnZEkGyooWDE8xSuxmDf3ursEg@mail.gmail.com> <CAJot-L1Syx+CrjsHHT1LeydjYex+2F8ru=pDWcjda8J8S4FxyA@mail.gmail.com> <CADo1+pUWnzRWbRsw2oBSr_xfd9oruyL6fWn5pWs5+Zs5GitFZw@mail.gmail.com> <CAJot-L3_gp7afbHMcz1KENyX+c1kDepJbmCUiv1Lkh84vm8=QQ@mail.gmail.com>
In-Reply-To: <CAJot-L3_gp7afbHMcz1KENyX+c1kDepJbmCUiv1Lkh84vm8=QQ@mail.gmail.com>
From: Akila Amarasinghe <akilaa@wso2.com>
Date: Wed, 17 Jan 2024 16:43:11 +0530
Message-ID: <CADo1+pV3HS7ZnjQ6T9zXtEnzUCcUwdOOrYimRBnXPHKfeOi2FQ@mail.gmail.com>
To: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>, openid-gain-poc@lists.openid.net, Lalaji Sureshika <lalaji@wso2.com>, Janak Amarasena <janak@ws02.com>
Content-Type: multipart/related; boundary="000000000000477820060f225701"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AxqdJ_pgt0zoQDfVJ9KIVWINHKM>
Subject: Re: [OAUTH-WG] Standardising JWT access token type determination
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2024 11:13:58 -0000

Adding @Janak Amarasena <janak@ws02.com> to the thread to get more context.
I will discuss this with my teammates and get back to you.

Meanwhile, what about the other point I highlighted? Using a custom claim
based on the requested grant type.

*Akila Amarasinghe **| **Software Engineer | WSO2 LLC*
(M)+94719799034 *| *(E)akilaa@wso2.com
(B) medium.com/@akilaamarasinghe

<http://wso2.com/signature>


On Wed, Jan 17, 2024 at 3:20 PM Warren Parad <wparad=
40rhosys.ch@dmarc.ietf.org> wrote:

> It is not limited to OIDC, it is not OIDC specific. The RFC just includes
> what to do if you also want to be OIDC compliant, since open ID already
> specified a definition for the acr claim prior, but as the RFC title
> indicates, this is for OAuth.
>
> On Wed, Jan 17, 2024 at 10:46 AM Akila Amarasinghe <akilaa=
> 40wso2.com@dmarc.ietf.org> wrote:
>
>> Hi Warren,
>>
>> Please correct me if I am wrong. As I understood, the "acr" claim is only
>> returned with the ID token, which is OIDC-specific.
>>
>> Also, how about the point #2 I explained above?
>>
>> Thanks,
>> *Akila Amarasinghe **| **Software Engineer | WSO2 LLC*
>> (M)+94719799034 *| *(E)akilaa@wso2.com
>> (B) medium.com/@akilaamarasinghe
>>
>> <http://wso2.com/signature>
>>
>>
>> On Wed, Jan 17, 2024 at 1:28 PM Warren Parad <wparad=
>> 40rhosys.ch@dmarc.ietf.org> wrote:
>>
>>> > I'm afraid that claim is specific to OIDC
>>>
>>> Where exactly do you see that?
>>>
>>> On Wed, Jan 17, 2024, 05:12 Akila Amarasinghe <akilaa=
>>> 40wso2.com@dmarc.ietf.org> wrote:
>>>
>>>> Hi Warren and all,
>>>>
>>>> I believe this will get you exactly what you are looking for,
>>>>
>>>> I did some digging into the "acr" claim you mentioned in your last
>>>> email. I'm afraid that claim is specific to OIDC. Open Banking and Identity
>>>> providers may not use OIDC always. For my requirement, there should be a
>>>> way to distinguish the token type for both OIDC and non-OIDC providers. Is
>>>> there any other way that supports both of the above scenarios?
>>>>
>>>>
>>>>
>>>>> without attempting to utilize existing claims in a way that wasn't
>>>>> intended. While I definitely wouldn't recommend putting the
>>>>> *grant-type* in the property, but rather the *depth of security that
>>>>> the grant-type represents*, you are of course free to interpret the
>>>>> spec how you wish.
>>>>>
>>>> Regarding #2 (Adding a custom claim to the access token), let me
>>>> *correct* what I mentioned in the first email. *The custom claim won't
>>>> contain the grant type itself in plain text*. It will contain some
>>>> sort of string pre-defined by the authorization server which is determined
>>>> based on the grant type. For instance, if the token request is with the
>>>> "authorization code" grant type, the claim will contain something like
>>>> "APPLICATION_USER". And if the grant type of the token request is "client
>>>> credentials", the claim will contain the value "APPLICATION".  So we can
>>>> use this claim to distinguish the token type.
>>>>
>>>> Is the above recommended by the authors of IETF?
>>>>
>>>> Thanks,
>>>> *Akila Amarasinghe **| **Software Engineer | WSO2 LLC*
>>>> (M)+94719799034 *| *(E)akilaa@wso2.com
>>>> (B) medium.com/@akilaamarasinghe
>>>>
>>>> <http://wso2.com/signature>
>>>>
>>>>
>>>> On Fri, Jan 12, 2024 at 3:49 PM Danuta Kusik-Wieland <
>>>> kusikdanuta@gmail.com> wrote:
>>>>
>>>>> Witam.Nie jestem informatykiem.Prubowałam stworzyć witrynę niestety
>>>>> jest problem z tolkenem.Wiem o tym ale nie wiem jak to zmienić.Jeżeli masz
>>>>> dobry pomysł proszę napraw to bo ja nie potrafię.Pozdrawiam Danuta
>>>>> Kusik-Wieland
>>>>>
>>>>> pt., 12 sty 2024, 09:48 użytkownik Akila Amarasinghe <akilaa=
>>>>> 40wso2.com@dmarc.ietf.org> napisał:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I am researching a standard way to distinguish the token grant type
>>>>>> (client credentials of authorization code) by inspecting the content of the
>>>>>> self-contained JWT token.
>>>>>>
>>>>>> I expect to build a discussion within the Oauth/OpenID community
>>>>>> around the need to identify the grant type in which a JWT access token is
>>>>>> issued.
>>>>>>
>>>>>> In the context of Open Banking, regulators around the world enforce
>>>>>> the API resource access validation specifying which type of access token
>>>>>> should be used to access the API resources. This is becoming a general
>>>>>> enforcement and the Open Banking solution providers are searching for a
>>>>>> standard way to distinguish the access token type by checking the content
>>>>>> of the JWT token.
>>>>>>
>>>>>> I researched this and please find my findings below,
>>>>>>
>>>>>> 1. *"sub" claim is a potential way to distinguish the token type*
>>>>>>
>>>>>> In rfc9068 <https://datatracker.ietf.org/doc/html/rfc9068> specification,
>>>>>> it is mentioned that the "sub" claim should contain the client ID of the
>>>>>> authorization server if the resource owner is not involved during
>>>>>> authorization (see the screenshot below).
>>>>>>
>>>>>> [image: Screenshot 2024-01-12 at 12.15.42 PM.png]
>>>>>>
>>>>>> We had discussions about using this claim to validate the token type
>>>>>> (auth code or client credentials), but it seems this is not a standard way
>>>>>> to do this since there can be client impersonation attacks. However, it is
>>>>>> very rare for an actual authorization code access token to have the same
>>>>>> client ID in the "sub" claim as the client exists in the authorization
>>>>>> server.
>>>>>>
>>>>>> 2. *Add a custom claim to the access token*
>>>>>> Another option is to add a custom claim to determine the token type.
>>>>>> This will be set after determining the grant type of the token request and
>>>>>> will be contained in the JWT access token when issued by the authorization
>>>>>> server. This is a reliable way to identify the token type because the
>>>>>> authorization server determines the grant type by inspecting the request
>>>>>> sent into it. Therefore, making it more reliable. This custom claim will
>>>>>> contain from which grant type the access token is obtained.
>>>>>>
>>>>>> 3. *Validating the "azp" claim in the token*
>>>>>> This is not applicable generally because this claim is optional and
>>>>>> is only used in OpenID connect. The applications that don't use ID tokens
>>>>>> cannot use this claim.
>>>>>>
>>>>>> We seek the help of the OAuth/OpenID community to build up a
>>>>>> discussion on this and find a standard way to do the token type
>>>>>> determination using the JWT token. It could be one of the above scenarios.
>>>>>>
>>>>>> The feedback from the Oauth/OpenID community is highly appreciated.
>>>>>>
>>>>>> Thanks,
>>>>>> *Akila Amarasinghe **| **Software Engineer | WSO2 LLC*
>>>>>> (M)+94719799034 *| *(E)akilaa@wso2.com
>>>>>> (B) medium.com/@akilaamarasinghe
>>>>>>
>>>>>> <http://wso2.com/signature>
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>

v2.46.0 | Report a Bug | By Email | System Status