Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-03.txt
Brian Campbell <bcampbell@pingidentity.com> Wed, 18 December 2019 21:19 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5A08120A8C for <oauth@ietfa.amsl.com>; Wed, 18 Dec 2019 13:19:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 007SO6vx7JnL for <oauth@ietfa.amsl.com>; Wed, 18 Dec 2019 13:19:29 -0800 (PST)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34D69120232 for <oauth@ietf.org>; Wed, 18 Dec 2019 13:19:29 -0800 (PST)
Received: by mail-lj1-x236.google.com with SMTP id k8so3764873ljh.5 for <oauth@ietf.org>; Wed, 18 Dec 2019 13:19:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=siyVp3YqTHugvkUYDzhkPKGPkt47K4LLCpu1nN7DYgg=; b=M7iHSMhQom8ak1KZD7R/n9uDcgnjak9pFI8QnTMvjF0xXYXF25cuhDB+pwUy8wsBIh 5iD8oFwPlohhe6Yds9i3hkzadRO1qn6Y87LYcex63v96vWKnqSCNYXeDhUsGvR8FOU8y zK73qqTMrpqCjpgol4A5hrdt6XesCJNOeeqHo/WogJIn7uwcz+fT7ZP3CWFyRaezil+b kki+BIykj71yJnwHdns0M0HnYOcTUDcjz42x6V7/aZW3C+yn53texMvIMarRBT2lJrnV r6Nt0OH+RYP6OYbKBIB9rA/CQwrFnxWro07NX6Ma8FVeDqCCu3Nnb8qBiUEHhX+3pVmd xMOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=siyVp3YqTHugvkUYDzhkPKGPkt47K4LLCpu1nN7DYgg=; b=RBSStq7uF2EP9jHCCcAv/CivkCn5qzHheWNFrvBhID8bO2+/ZvocZ2iJpQBacY2vct lJYUo2tadUDeIqqfgehXzY6Twuz/hZKsSqeaDqeDLl3E6+ulf1aZbiEQAeSrl9qQfzLm HgdnA91SfAHYmW/l9TFgtRyWg5+u3UJRZjg6FPtfUTR9h4hshBGiNq0wGK4wwfas92HF aL7VG6e4IhPhOaioNReY1HwEfH2Ad4ZANI0c+e5FFOcuN4+HZNWQlTBAdAJNntMLx4x3 Ji68o0OHy4NBtr9uUYFT5S/fXmi4Ymw1ysblzQmNZ/HTeVezj1cxMWOeDg7lv0XLRfgR WxGQ==
X-Gm-Message-State: APjAAAV5fvIofIIvWgoBBIEYEBp+e+RpKWsIkAG8IAPuv1xxibDcgB+t h8BED6KMuMYLIWlbVGgvjSUC8NSdjG4SEWLqLr0ltyLaqV2ZXrI6r7DAPblP0fZb0yqjx6jHWhv R8w8zd6+KoWJ/dw==
X-Google-Smtp-Source: APXvYqzPpfrg4kWja7KWFeE47OZgpj7vX9pazCQZvgFD8mb8xzLEcX+qEwJDgNxXu3mz/TJwUkGgHbuQ8tlqm0juHoE=
X-Received: by 2002:a2e:81c7:: with SMTP id s7mr3382697ljg.3.1576703967428; Wed, 18 Dec 2019 13:19:27 -0800 (PST)
MIME-Version: 1.0
References: <157653653318.24509.15075582637514649078@ietfa.amsl.com> <CAO_FVe4jYtrCiGAFSKQo2UF2WDCu8Yf8ww9_biMoW4TJPQ2Qpw@mail.gmail.com>
In-Reply-To: <CAO_FVe4jYtrCiGAFSKQo2UF2WDCu8Yf8ww9_biMoW4TJPQ2Qpw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 18 Dec 2019 14:19:00 -0700
Message-ID: <CA+k3eCSzm7W1k8rYz7spbUmjWpnfc001mF=Ht3+OA5LQTv=dgQ@mail.gmail.com>
To: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>
Cc: IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e51987059a00ffb9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/C9prgdVUal1vbuQCGI2l7dnG_7A>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2019 21:19:32 -0000
-03 Sec 2.1 has: "The typ header parameter for a JWT access token MUST be at+jwt. See the security considerations section for details on the importance of preventing JWT access tokens to be interpreted as id_tokens." As previously mentioned in https://mailarchive.ietf.org/arch/msg/oauth/BWH6BEhKt29aJ4TUYtcLckdCqO4 Connect doesn't say anything about checking the "typ" header of id tokens so typing ATs with "at+jwt" doesn't actually do anything to prevent JWT access tokens being used as id tokens. It can prevent misuse in the other direction. But this document probably shouldn't overstate what typing the JWT can accomplish. On Mon, Dec 16, 2019 at 3:50 PM Vittorio Bertocci <Vittorio= 40auth0.com@dmarc.ietf.org> wrote: > Dear all, > I finally found the time to push a new draft of the JWT profile for ATs. > This version incorporates the feedback kindly provided by Brian and Aaron > at IETF105. > Unfortunately I didn't have a chance to participate to IETF106, hence we > didn't do much progress since then. > There are still two areas we didn't manage to reach consensus on: > > 1. Mechanisms for signaling whether the AT was obtained by a user or an > application > > This point was the subject of intense debate on the list leading to > IETF105. > One insight that emerged from the IETF105 discussion was that the use case > here is more about whether the AT has been obtained via a grant that > authenticated the client (regardless of what specific grant was used) vs a > public client grant- that information can be relevant to a resource as it > determines whether the identity of the client can be used in authorization > decisions (in the former case) or not (in the public client case). If > that's the scenario we are truly after, a simple, possibly optional boolean > claim (say AuthenticatedClient) would suffice. > Note for the people who didn't read the spec: I removed any reference to > this already in draft-ietf-oauth-access-token-jwt-01. I think this is an > important and useful info and standardizing it would be beneficial for > middleware and SDK creators, but ultimately this is an interop profile > hence if there's no strong desire to reach an agreement here, I am also OK > with dropping the matter and not address this function in the spec. > To summarize, I have two questions here: > > A. Do we believe it's worth it to formalize in the profile a mechanism to > indicate whether the client th obtained the AT authenticated itself with > the AS? > B. If yes, are you OK wiht an optional bool claim here? > > > 2. Claims indicating session properties > > This is one area where I am far more passionate about, as it represents a > fundamental aspect that production systems (and in particular 1st party > solutions) already rely on in the current proprietary JTW ATs. > The profile currently includes the claims auth_time, acr and amr - > capturing the values of those properties at the time of the latest > authentication the user performed in the session used to issue the current > AT: at session creation, at auth step up time and so on. > Those are values that API need in order to make authorization decisions; > in the case of 1st party APIs, the AT is the only artifact they ever > receive hence there is no other way for an API to determine whether the > caller performed say MFA in order to obtain the current AT. > Since the first draft, some people signaled concerns about the current > mechanisms thru which those claims get their value. For example, it has > been proposed to maintain the original values of auth_time, acr & amr and > introduce additional claims to indicate changes (like stepup). > I am not clear on what cold go wrong with the current approach, hence I > don't have an immediate grasp of how changes like the above would help. > If the people uncomfortable with the current proposal could detail their > concern, we can brainstorm ways to make that info available to API in a > safer way. To summarize: > > A. Do you have concerns with the current auth_time, arm, acr proposal? Can > you spell them out? (please read the relevant parts of the spec before > chiming in :)) > B. If yes, what can we do to make that info available to RSs in a way that > makes you comfortable? > > > > Thanks > > V. > > On Mon, Dec 16, 2019 at 2:49 PM <internet-drafts@ietf.org> wrote: > >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the Web Authorization Protocol WG of the >> IETF. >> >> Title : JSON Web Token (JWT) Profile for OAuth 2.0 >> Access Tokens >> Author : Vittorio Bertocci >> Filename : draft-ietf-oauth-access-token-jwt-03.txt >> Pages : 16 >> Date : 2019-12-16 >> >> Abstract: >> This specification defines a profile for issuing OAuth 2.0 access >> tokens in JSON web token (JWT) format. Authorization servers and >> resource servers from different vendors can leverage this profile to >> issue and consume access tokens in interoperable manner. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/ >> >> There are also htmlized versions available at: >> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-03 >> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-access-token-jwt-03 >> >> A diff from the previous version is available at: >> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-access-token-jwt-03 >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] I-D Action: draft-ietf-oauth-access-to… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-acces… Vittorio Bertocci
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-acces… Richard Backman, Annabelle
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-acces… Vittorio Bertocci
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-acces… Vittorio Bertocci
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-acces… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-acces… Vittorio Bertocci
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: I-D Action… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: I-D Action… Vittorio Bertocci
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: I-D Action… Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: I-D Action… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: I-D Action… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: I-D Action… Vittorio Bertocci
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-acces… Steinar Noem
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-acces… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-acces… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-acces… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-acces… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: I-D Action… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: I-D Action… Benjamin Kaduk
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: I-D Action… Justin Richer