IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

George Fletcher <gffletch@aol.com> Thu, 04 April 2019 15:46 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D6551200A0 for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 08:46:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fb6ytEXGMp2c for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 08:46:34 -0700 (PDT)
Received: from sonic317-26.consmr.mail.bf2.yahoo.com (sonic317-26.consmr.mail.bf2.yahoo.com [74.6.129.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6920612007A for <oauth@ietf.org>; Thu, 4 Apr 2019 08:46:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1554392793; bh=ePPihOvoDvd28LQeoJmUBFQmd2t6yZffMk0+xdf7xbM=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=qJKN2wpPGaXdzgv5H3jHm7qxj/fa6X7D3fNJKuWej2pKjEsWQkr6vjA5iG8ZHPVq+yYqwjZUuM9OJtGwJMBgvtc8IpnjapDPjNSmgQLBkqwui3u0Mo24Q95TFtUAy6tn1x4ziQuX7wF8pwZjK1f+xJl2Ll4bbF1vqMX+fWXacKBMICXDjxV56f7Dew4ZjWKmLNPVdKuCRfquaaZzzuPlZAyJyzIC3/7tiNw1+KuZYLDzwxvpOojcU11DwChEvASa3WZzzSDB16HfE8Ku4bfumrcrKX4DibFIBhMDpklRyT2quAIjxNPyQY3AevfxGnxAUbHBtWVReYFRt3WZ4QlvSA==
X-YMail-OSG: 4wnY5WcVM1mChTd5_n_HcIup.znIEQXIpXHsU0ETiDxKtCqsSQ8frA47EU0GlmT K6GG1v3chSiEoYxT2DYe1eZ77u2NaA0e0ACrG1U0rrqmtorGDN.gmvwlAVdFqw46dG206ZeU4nYu nmmcC.mZdW7pqWxEeYV_RTD7KUvOCiozM.X1_90V2R4yK_yLaVv1V.qBLK_g5lTnQIJUFdwU8knD 3Xbksb1J3u14dlpDdcE43jG9C0giBvwT1cJ4qFO3e1E9WwdcquJ5VkRZf.WePPl1n3LkyXF_jHwd i1BUbgmPupjWsdmlM70OEGGGUxCjbBF3GIGshNiiqOmfn5gu1P21Abk1w2lX8o9s50gsU8p4t05u b6DJ9jx2zsJE0GTUrz_mqBHbKXBCI7Cts0XIC0mEaDPpt6rxfe1_qmCn.ssW5TXKsFidQV8I9F6_ 0Iba3x9sNbGOcCYSEzn08nMVdWSYkSmD2P6bpX14gt7vEIg.NYdJiGjCTeTVC3jfzUcKZ.cdCgdy AUTbC3.PHvFZmHtP2OQe4E2dvZaXcjG6FTM0v8dU675fPMKPNTuojOQrIYvFZZcC72IQhjlbx8Hk rYpsq44TH5FEgIkXOhrD0mU2IScEicsUL9bOSJmZskVC9P4MX9hWbahPY90j2mpPrg96UoCYpX1M G1rMYrFiVmF1I3Lj5mnB7aEAVjLNQ9Y8TW11sxDNC93cqw01lV57kivdsoBWH3DcQdWg4rf1PM2o OiqStbPNe32Z2Z_IBrnY15XeJGIHuUjThd5rIBkN740uC4b9UzQ_I1D04U64r3wUfwNL9eEHoqX4 lRUn7fzQRCprXF2hnynaKTAcANqo40qIxIKQHPcOZ.lyJ5JiJeWcqtMX7Zm5mO74bppviCmNqHqe 3boEBnQ2_V_k0jND8pc2xbAZjPAbfQRn5otlhg4JADma4dKrz8DskmLZuCB92.YQ_kIumDoo4e4q ccqTqu6D7N3pzAu59uvyPzSEADF1hZBS8XsvB.y_.pDbn97L2EPr57h65EvaoT4a7_jxhhHAb0.s nv5dGYkSViyEbOdCaugrPBsIn5mMvQAotLR6yxEfu6pbl8wr.3ACCq9Inczs3iZeFyV.Qd7pzECk -
Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.bf2.yahoo.com with HTTP; Thu, 4 Apr 2019 15:46:33 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp425.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID ff060856b63be485e8bbf865c0ef0668; Thu, 04 Apr 2019 15:46:30 +0000 (UTC)
To: Hans Zandbelt <hans.zandbelt@zmartzone.eu>, Brian Campbell <bcampbell@pingidentity.com>
Cc: IETF oauth WG <oauth@ietf.org>
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <62e62afb-891d-f7d8-8b39-793254dadf7b@aol.com> <CA+k3eCRGtvvT6YGGMZN+Krux=yTD-SSNJtj6mXQb5Fr9oQBbyQ@mail.gmail.com> <CA+k3eCR3sZ-gC96BYBTTW7kQ6EGw=z8wiNokAroNd=VTvNF3kw@mail.gmail.com> <CA+iA6uiaoX_ZeTSdgrPZHUH8zCn4GEg8t9R7fYH4LsfWYwzfaw@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <c9e5fe0c-6591-9328-c748-6dd7584bec0b@aol.com>
Date: Thu, 04 Apr 2019 11:46:29 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CA+iA6uiaoX_ZeTSdgrPZHUH8zCn4GEg8t9R7fYH4LsfWYwzfaw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------EFB07131BBF6F4E1F5AECEF5"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Bq-hLhYj_16wGmgb2GYqBCG6ZRs>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 15:46:38 -0000

:)

The more I think about 'sub' the more I don't think is should mean 
"user". What about an IoT device? To me it feels like 'sub' should be 
what 7519 states, the subject or principal of the token. In some cases, 
that is quite legitimately the "client" or "machine". Changing that 
semantic seems bad. If a developer needs to know whether this JWT is 
about a "human" or not, that's something else entirely and could have 
it's own claim.

On 4/4/19 11:38 AM, Hans Zandbelt wrote:
> agreed but it (i.e. "sub") also brings us back to where we started
>
> Hans.
>
> On Thu, Apr 4, 2019 at 5:27 PM Brian Campbell 
> <bcampbell=40pingidentity.com@dmarc.ietf.org 
> <mailto:40pingidentity.com@dmarc.ietf.org>> wrote:
>
>     The same is true for most of the other main claims too - iss, exp,
>     aud, sub, iat, etc.. They are defined in RFC 7519 not OIDC.
>
>     On Thu, Apr 4, 2019 at 9:21 AM Brian Campbell
>     <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>
>     wrote:
>
>         Yeah, OpenID.Core isn't the right reference for `aud`.
>         https://tools.ietf.org/html/rfc7519#section-4.1.3 is the
>         definition of `aud` which should be the reference and this
>         document can provide additional specifics for the given
>         application.
>
>         On Thu, Apr 4, 2019 at 8:07 AM George Fletcher
>         <gffletch=40aol.com@dmarc.ietf.org
>         <mailto:40aol.com@dmarc.ietf.org>> wrote:
>
>             Another comment...
>
>                 aud  REQUIRED - as defined in section 2 of [OpenID.Core  <https://tools.ietf.org/html/draft-bertocci-oauth-access-token-jwt-00#ref-OpenID.Core>].  See
>                    Section 3  <https://tools.ietf.org/html/draft-bertocci-oauth-access-token-jwt-00#section-3>  for indications on how an authorization server should
>                    determine the value of aud depending on the request.  [Note: some
>                    vendors seem to rely on resource aliases.  If we believe this to
>                    be a valuable feature, here's some proposed language: The aud
>                    claim MAY include a list of individual resource indicators if they
>                    are all aliases referring to the same requested resource known by
>                    the authorization server. ]
>
>
>
>             I don't think OpenID.Core Section 3 is the correct
>             reference for determining the 'aud' value. The issue here
>             is that the 'aud' of the id_token is the recipient of the
>             id_token (i.e. the client). However, for access_tokens the
>             'aud' value should be the resource service that will
>             receive the access_token. There is no existing guidance
>             for this and we should provide such guidance as this is
>             "kind of new" for OAuth2 (from an explicit specification
>             perspective).
>
>             Also, there is the concept of 'azp' from the id_token
>             which amounts to "who's allowed to present this token"
>             which might be interesting from the case where one entity
>             obtains the token, and gives it to another entity to
>             present. Not sure if we want to include this concept or not.
>
>             Finally, I think we may need some best practice around how
>             the concept of audience and resource should be managed.
>             For instance...
>
>                 If the request does not include a resource parameter, the
>                 authorization server MUST use in the aud claim a default resource
>                 indicator.  If a scope parameter is present in the request, the
>                 authorization server SHOULD use it to infer the value of the default
>                 resource indicator to be used in the aud claim.
>
>             I think for most implementations this would amount to...
>             define an audience that covers all the resource services
>             where the access token can be returned and set that as the
>             audience (e.g. urn:x-mydomain:apis). Which is perfectly
>             legal but maybe not in the spirit of the spec:) I am
>             receiving feedback from developers that binding access
>             tokens narrowly to the resource where they will be
>             presented is concerning from a chattiness perspective
>             (latency issues) and general load on the deployed AS
>             infrastructure.
>
>             On 3/24/19 7:29 PM, Vittorio Bertocci wrote:
>>             Dear all,
>>             I just submitted a draft describing a JWT profile for
>>             OAuth 2.0 access tokens. You can find it in
>>             https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/.
>>             I have a slot to discuss this tomorrow at IETF 104 (I'll
>>             be presenting remotely). I look forward for your comments!
>>
>>             Here's just a bit of backstory, in case you are
>>             interested in how this doc came to be. The trajectory it
>>             followed is somewhat unusual.
>>
>>               * Despite OAuth2 not requiring any specific format for
>>                 ATs, through the years I have come across multiple
>>                 proprietary solution using JWT for their access
>>                 token. The intent and scenarios addressed by those
>>                 solutions are mostly the same across vendors, but the
>>                 syntax and interpretations in the implementations are
>>                 different enough to prevent developers from reusing
>>                 code and skills when moving from product to product.
>>               * I asked several individuals from key products and
>>                 services to share with me concrete examples of their
>>                 JWT access tokens (THANK YOU Dominick Baier
>>                 (IdentityServer), Brian Campbell (PingIdentity),
>>                 Daniel Dobalian (Microsoft), Karl Guinness (Okta) for
>>                 the tokens and explanations!).
>>                 I studied and compared all those instances,
>>                 identifying commonalities and differences.
>>               * I put together a presentation summarizing my findings
>>                 and suggesting a rough interoperable profile (slides:
>>                 https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx
>>                 <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx>
>>                 ) - got early feedback from Filip Skokan on it. Thx
>>                 Filip!
>>               * The presentation was followed up by 1.5 hours of
>>                 unconference discussion, which was incredibly
>>                 valuable to get tight-loop feedback and incorporate
>>                 new ideas. John Bradley, Brian Campbell Vladimir
>>                 Dzhuvinov, Torsten Lodderstedt, Nat Sakimura, Hannes
>>                 Tschofenig were all there and contributed generously
>>                 to the discussion. Thank you!!!
>>                 Note: if you were at OSW2019, participated in the
>>                 discussion and didn't get credited in the draft, my
>>                 apologies: please send me a note and I'll make things
>>                 right at the next update.
>>               * On my flight back I did my best to incorporate all
>>                 the ideas and feedback in a draft, which will be
>>                 discussed at IETF104 tomorrow. Rifaat, Hannes and
>>                 above all Brian were all super helpful in negotiating
>>                 the mysterious syntax of the RFC format and
>>                 submission process.
>>
>>             I was blown away by the availability, involvement and
>>             willingness to invest time to get things right that
>>             everyone demonstrated in the process. This is an amazing
>>             community.
>>             V.
>>
>>             _______________________________________________
>>             OAuth mailing list
>>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>             https://www.ietf.org/mailman/listinfo/oauth
>
>             _______________________________________________
>             OAuth mailing list
>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>             https://www.ietf.org/mailman/listinfo/oauth
>
>
>     /CONFIDENTIALITY NOTICE: This email may contain confidential and
>     privileged material for the sole use of the intended recipient(s).
>     Any review, use, distribution or disclosure by others is strictly
>     prohibited...  If you have received this communication in error,
>     please notify the sender immediately by e-mail and delete the
>     message and any file attachments from your computer. Thank
>     you./_______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> -- 
> hans.zandbelt@zmartzone.eu <mailto:hans.zandbelt@zmartzone.eu>
> ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu>

v2.23.0 | Report a Bug | By Email